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In open systems verification, to formally check for reliability, one needs an appropriate formalism to 
model the interaction between agents and express the correctness of the system no matter how the envi- 
ronment behaves. An important contribution in this context is given by modal logics for strategic ability, 
in the setting of multi-agent games, such as Atl, Atl*, and the like. Recently, Chatterjee, Henzinger, and 
Piterman introduced Strategy Logic, which we denote here by CHP-Sl, with the aim of getting a powerful 
framework for reasoning explicitly about strategies. CHP-Sl is obtained by using first-order quantifications 
over strategies and has been investigated in the very specific setting of tuio-agents turned-based games, 
where a non-elementary model-checking algorithm has been provided. While CHP-Sl is a very expressive 
logic, we claim that it does not fully capture the strategic aspects of multi-agent systems. 

In this paper, we introduce and study a more general strategy logic, denoted Sl, for reasoning about 
strategies in multi-agent concurrent games. We prove that Sl includes CHP-Sl, while maintaining a decid- 
able model-checking problem. In particular, the algorithm we propose is computationally not harder than 
the best one known for CHP-Sl. Moreover, we prove that such a problem for Sl is NonElementarySpace- 
HARD. This negative result has spurred us to investigate here syntactic fragments of Sl, strictly subsuming 
Atl*, with the hope of obtaining an elementary model-checking problem. Among the others, we study the 
sublogics Sl[NG], Sl[BG], and Sl[1g]. They encompass formulas in a special prenex normal form having, 
respectively, nested temporal goals. Boolean combinations of goals and, a single goal at a time. About these 
logics, we prove that the model-checking problem for Sl[1g] is 2ExpTime-complete, thus not harder than 
the one for Atl*. In contrast, Sl[NG] turns out to be NonElementarySpace-hard, strengthening the 
corresponding result for Sl. Finally, we observe that Sl[BG] includes CHP-Sl, while its model-checking 
problem relies between NonElementaryTime and 2ExpTime. 

Categories and Subject Descriptors: F.3.1 [Logics and Meanings of Programs]: Specifying and Verifying and Reasoning 
about Programs — Specification techniques; F.4. 1 [Matliematical Logic and Formal Languages]: Mathematical Logic — 
Modal logic; Temporal logic 
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1. INTRODUCTION 

In system design, model checking is a well-established formal method that allows to automat- 
ically check for global system correctness I Clarke and Emerson 1981 . Queille and Sifakis 1981) 
IClarke et al. 2002| . In such a framework, in order to check whether a system satisfies a re- 
quired property, we describe its structure in a mathematical model (such as Kripke struc- 
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tures |Kripkel963| or labeled transition systems IIKeller 197611 ). specify the property with a 



formula of a temporal logic (such as Ltl llPnueli 19771 . Ctl i Clarke and Emerson 1981L or 
Ctl* [Emerson and Halpern 1986|), and check formally that the model satisfies the formula. In 
the last decade, interest has arisen in analyzing the behavior of individual components or sets of 
them in systems with several entities. This interest has started in reactive systems, which are sys- 
tems that interact continually with their environments. In module checking |Kupferman et al. 2001[ , 
the system is modeled as a module that interacts with its environment and correctness means that a 
desired property holds with respect to all such interactions. 

Starting from the study of module checking, researchers have looked for logics focus- 
ing on the strategic behavior of agents in multi-agent systems lAlur et al. 20021 |Pauly 2002t 
|Jamroga and van der Hoek 2004| . One of the most important development in this field is 
Alternating-Time Temporal Logic (Atl*, for short), introduced by Alur, Henzinger, and Kupfer- 
man [Aluret al. 2002|. Atl* allows reasoning about strategies of agents with temporal goals. For- 
mally, it is obtained as a generalization of Ctl* in which the path quantifiers, there exists "E" and 
for all "A", are replaced with strategic modalities of the form "((A))" and "[[A]]", where A is a set 
of agents (a.k.a. players). Strategic modalities over agent sets are used to express cooperation and 
competition among them in order to achieve certain goals. In particular, these modalities express 
selective quantifications over those paths that are the result of infinite games between a coalition 
and its complement. 

Atl* formulas are interpreted over concMrrenf game structures (Cos, for short) MAlur et al. 2002L 
which model interacting processes. Given a Cgs G and a set A of agents, the Atl* formula ((A))'0 
is satisfied at a state s of Q if there is a set of strategies for agents in A such that, no matter strate- 
gies are executed by agents not in A, the resulting outcome of the interaction in Q satisfies at 
s. Thus, Atl* can express properties related to the interaction among components, while Ctl* can 
only express property of the global system. As an example, consider the property "processes a and 
13 cooperate to ensure that a system (having more than two processes) never enters a failure state". 
This can be expressed by the Atl* formula {{{a, /?}))G -^fail, where G is the classical Ltl tempo- 
ral operators "globally. Ctl*, in contrast, cannot express this property II Alur et al. 200211 . Indeed, 
it can only assert whether the set of all agents may or may not prevent the system from entering a 
failure state. 

The price that one has to pay for the greater expressiveness of Atl* is the increased complexity 
of model checking. Indeed, both its model-checking and satisfiabiUty problems are 2ExpTlME- 
COMPLETE MAlur et al. 20021 ISchewe 20081 . 

Despite its powerful expressiveness, Atl* suffers from a strong limitation, due to the fact that 
strategies are treated only implicitly, through modalities that refer to games between competing 
coalitions. To overcome this problem, Chatterjee, Henzinger, and Piterman introduced Strategy 
Logic (CHP-Sl, for short) [Chatterjee et al. 2007], a logic that treats strategies in two-player turn- 
based games as explicit first-order objects. In CHP-Sl, the Atl* formula (({q;}))^', for a system 
modeled by a CGS with agents a and /3, becomes Elx.Vy.'0(x, y), i.e., "there exists a player-a strat- 
egy X such that for all player-/? strategies y, the unique infinite path resulting from the two play- 
ers following the strategies x and y satisfies the property i/;". The explicit treatment of strategies 
in this logic allows to state many properties not expressible in Atl*. In particular, it is shown 



in I Chatterjee et al. 2007) that Atl*, in the restricted case of two-agent turn-based games, corre- 



sponds to a proper one-alternation fragment of CHP-Sl. The authors of that work have also shown 
that the model-checking problem for CHP-Sl is decidable, although only a non-elementary algo- 
rithm for it, both in the size of system and formula, has been provided, leaving as open question 
whether an algorithm with a better complexity exists or not. The complementary question about the 
decidability of the satisfiability problem for CHP-Sl was also left open and, as far as we known, it 



is not addressed in other papers apart our preliminary work [Mogavero et al. 2010a|. 



While the basic idea exploited in [Chatterjee et al. 2007j to quantify over strategies and then 
to commit agents explicitly to certain of these strategies turns to be very powerful and use- 
ful BFisman et al. 2010]| . CHP-Sl still presents severe Umitations. Among the others, it needs to 
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be extended to the more general concurrent multi-agent setting. Also, the specific syntax considered 
there allows only a weak kind of strategy commitment. For example, CHP-Sl does not allow dif- 
ferent players to share the same strategy, suggesting that strategies have yet to become first-class 
objects in this logic. Moreover, an agent cannot change his strategy during a play without forcing 
the other to do the same. 

These considerations, as well as all questions left open about decision problems, led us to intro- 
duce and investigate a new Strategy Logic, denoted Sl, as a more general framework than CHP-Sl, 
for explicit reasoning about strategies in multi-agent concurrent games. Syntactically, Sl extends 
Ltl by means of two strategy quantifiers, the existential {{xjj and the universal [[x]], as well as agent 
binding (a, x), where a is an agent and x a variable. Intuitively, these elements can be respectively 
read as "there exists a strategy x ", "for all strategies x ", and "bind agent a to the strategy asso- 
ciated with x". For example, in a Cos with the three agents a, /3, 7, the previous Atl* formula 
{{{a,(3}))G -^fail can be translated in the Sl formula ((x))((y))[[z]](a,x)(/3,y)(7,z)(G -^fail). The 
variables x and y are used to select two strategies for the agents a and /?, respectively, while z is used 
to select one for the agent 7 such that their composition, after the binding, results in a play where 
fail is never met. Note that we can also require, by means of an appropriate choice of agent bindings, 
that agents a and /? share the same strategy, using the formula ((x)) [[z]](a, x)(/?, x)(7, z)(G -^fail). 
Furthermore, we may vary the structure of the game by changing the way the quantifiers alternate, 
as in the formula ((x)) [[z]] ((y)) (a, x)(/3, y)(a, z)(G ^fail). In this case, x remains uniform w.r.t. z, 
but y becomes dependent on it. Finally, we can change the strategy that one agent uses during the 
play without changing those of the other agents, by simply using nested bindings, as in the formula 
((x))((y))[[z]]((w))(a,x)(/?,y)(7,z)(G (7, w)G -^fail). The last examples intuitively show that Sl is 
a extension of both Atl* and CHP-Sl. It is worth noting that the pattern of modal quantifications 
over strategies and binding to agents can be extended to other linear-time temporal logics than Ltl, 
such as the linear /iCALCULUS f Vardi 19881 . In fact, the use of Ltl here is only a matter of sim- 
plicity in presenting our framework, and changing the embedded temporal logic only involves few 
side-changes in proofs and decision procedures. 

As one of the main results in this paper about Sl, we show that the model-checking 
problem is non-elementarily decidable. To gain this, we use an automata-theoretic ap- 
proach ]Kupferman et al. 2000 |. Precisely, we reduce the decision problem for our logic to the 
emptiness problem of a suitable alternating parity tree automaton, which is an alternating 
tree automaton (see [Gradel et al. 2002 ], for a survey) along with a parity acceptance condi- 
tion [ Mullerand Schupp 1995| . Due to the operations of projection required by the elimination 
of quantifications on strategies, which induce at any step an exponential blow-up, the overall size 
of the required automaton is non-elementary in the size of the formula, while it is only polyno- 
mial in the size of the model. Thus, together with the complexity of the automata-nonemptiness 
calculation, we obtain that the model checking problem is in PTiME, w.r.t. the size of the model, 
and NonElementaryTime, w.r.t. the size of the specification. Hence, the algorithm we propose 
is computationally not harder than the best one known for CHP-Sl and even a non-elementary 
improvement with respect to the model. This fact allows for practical applications of Sl in the 
field of system verification just as those done for the monadic second-order logic on infinite ob- 
jects [Elgaard et al. 1998|. Moreover, we prove that our problem has a non-elementary lower bound. 
Specifically, it is /c-ExpSpace-HARD in the alternation number k of quantifications in the specifi- 
cation. 

The contrast between the high complexity of the model-checking problem for our logic and the 
elementary one for Atl* has spurred us to investigate syntactic fragments of Sl, strictly subsuming 
Atl*, with a better complexity. In particular, by means of these sublogics, we would like to under- 
stand why Sl is computationally more difficult than Atl*. 

The main fragments we study here are Nested-Goal, Boolean-Goal, and One-Goal Strategy Logic, 
respectively denoted by Sl[ng], Sl[bg], and Sl[1g]. Note that the last, differently from the first 
two, was introduced in | ,Mogavero et al. 20I2J . They encompass formulas in a special prenex nor- 
mal form having nested temporal goals. Boolean combinations of goals, and a single goal at a time. 
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respectively. For goal we mean an Sl formula of the type bip, where b is a binding prefix of the form 
(ai, a:i), . . . , (a„, x„) containing all the involved agents and ip is an agent-full formula. With more 
detail, the idea behind Sl[ng] is that, when in ijj there is a quantification over a variable, then there 
are quantifications of all free variables contained in the inner subformulas. So, a subgoal of ijj that 
has a variable quantified in ip itself cannot use other variables quantified out of this formula. Thus, 
goals can be only nested or combined with Boolean and temporal operators. Sl[bg] and Sl[1g] 
further restrict the use of goals. In particular, in Sl[1g], each temporal formula ip is prefixed by 
a quantification-binding prefix pb that quantifies over a tuple of strategies and binds them to all 
agents. 

As main results about these fragments, we prove that the model-checking problem for Sl[1g] 
is 2ExpTime-COMPLETE, thus not harder than the one for Atl*. On the contrai-y, for Sl[ng], it 
is both NonElementaryTime and NonElementarySpace-hard and thus we enforce the 
corresponding result for Sl. Finally, we observe that Sl[bg] includes CHP-Sl, while the relative 
model-checking problem rehes between 2ExpTlME and NonElementaryTime. 

To achieve all positive results about Sl[1g], we use a fundamental property of the semantics of 
this logic, called elementariness, which allows us to strongly simplify the reasoning about strategies 
by reducing it to a set of reasonings about actions. This intrinsic characteristic of Sl[1g], which un- 
fortunately is not shared by the other fragments, asserts that, in a determined history of the play, the 
value of an existential quantified strategy depends only on the values of strategies, from which the 
first depends, on the same history. This means that, to choose an existential strategy, we do not need 
to know the entire structure of universal strategies, as for Sl, but only their values on the histories 
of interest. Technically, to describe this property, we make use of the machinery of dependence map, 
which defines a Skolemization procedure for Sl, inspired by the one in first order logic. 

By means of elementariness, we can modify the Sl model-checking procedure via alternating 
tree automata in such a way that we avoid the projection operations by using a dedicated automaton 
that makes an action quantification for each node of the tree model. Consequently, the resulting 
automaton is only exponential in the size of the formula, independently from its alternation num- 
ber. Thus, together with the complexity of the automata-nonemptiness calculation, we get that the 
model-checking procedure for Sl[1g] is 2ExpTlME. Clearly, the elementariness property also holds 
for Atl*, as it is included in Sl[1g]. In particular, although it has not been explicitly stated, this 
property is crucial for most of the results achieved in literature about Atl* by means of automata 
(see BSchewe 20081 , as an example). Moreover, we believe that our proof techniques are of indepen- 
dent interest and applicable to other logics as well. 

Related works. Several works have focused on extensions of Atl* to incorporate 
more powerful strategic constructs. Among them, we recall Alternating-Time /uCalculus 
(A/^Calculus, for short) lAluret al. 2002 1. Game Logic (G l, for short) HAlur et al. 20021 . 
Quantified Decision Modality /xCalculus (QD/i, for short) HPinchinat 20071 , Coordination 
Logic (Cl, for short) IIFinkbeiner and Schewe 20T0l . and some extensions of Atl* considered 
in [ [Brihaye et al. 2009) . A/xCalculus and QD/i are intrinsically different from Sl (as well as from 
CHP-Sl and Atl*) as they are obtained by extending the propositional /i-calculus MKozen 19831 
with strategic modalities. Cl is similar to QD/i but with Ltl temporal operators instead of ex- 
plicit fixpoint constructors. Gl is strictly included in CHP-Sl, in the case of two-player turn-based 
games, but it does not use any explicit treatment of strategies, neither it does the extensions of Atl* 



introduced in [Brihaye et al. 2009 1. In particular, the latter work consider restrictions on the mem- 
ory for strategy quantifiers. Thus, all above logics are different from Sl, which we recall it aims 
to be a minimal but powerful logic to reason about strategic behavior in multi-agent systems. A 
very recent generalization of Atl*, which results to be expressive but a proper sub logic of Sl, is 
also proposed in BCosta et al. 2010al . In this logic, a quantification over strategies does not reset the 
strategies previously quantified but allows to maintain them in a particular context in order to be 
reused. This makes the logic much more expressive than Atl*. On the other hand, as it does not al- 
low agents to share the same strategy, it is not comparable with the fragments we have considered in 
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this paper. Finally, we want to remark that our non-elementary hardness proof about the Sl model- 
checking problem is inspired by and improves a proof proposed for their logic and communicated 
to us I Cost a etal. 20 10 b I by the authors of OCosta et al. 2010all . 

Note on ^Mogavero et al. 2010a^ . Preliminary results on Sl appeared in jMogavero et al. 2010a[ . 
We presented there a 2ExpTlME algorithm for the model-checking problem. The described proce- 
dure applies only to the Sl[1g] fragment, as model checking for full Sl is non-elementary. 

Outline. The remaining part of this work is structured as follows. In Section |2l we recall the 
semantic framework based on concurrent game structures and introduce syntax and semantics of 
Sl. Then, in Section[3] we show the non-elementary lower bound for the model-checking problem. 
After this, in Section|4] we start the study of few syntactic and semantic Sl fragments and introduce 
the concepts of dependence map and elementary satisfiability. Finally, in Section |5] we describe 
the model-checking automata-theoretic procedures for all Sl fragments. Note that, in the accom- 
panying Appendix|A] we recall standard mathematical notation and some basic definitions that are 
used in the paper. However, for the sake of a simpler understanding of the technical part, we make 
a reminder, by means of footnotes, for each first use of a non trivial or immediate mathematical 
concept. The paper is self contained. All missing proofs in the main body of the work are reported 
in appendix. 

2. STRATEGY LOGIC 

In this section, we introduce Strategy Logic, an extension of the classic linear-time temporal 
logic Ltl llPnueh 197711 along with the concepts of strategy quantifications and agent binding. 
Our aim is to define a formalism that allows to express strategic plans over temporal goals in 
a way that separates the part related to the strategic reasoning from that concerning the tacti- 
cal one. This distinctive feature is achieved by decoupling the instantiation of strategies, done 
through the quantifications, from their application by means of bindings. Our proposal, on the 
line marked by its precursor CHP-Sl | Chatterjee et al. 2007 Chatterjee et al. 2010) and differ- 



ently from classical temporal logics f Emerson 1990L turns in a logic that is not simply propo 
sitional but predicative, since we treat strategies as a first order concept via the use of agents 
and variables as explicit syntactic elements. This fact let us to write Boolean combinations and 
nesting of complex predicates, linked together by some common strategic choice, which may 
represent each one a different temporal goal. However, it is worth noting that the technical ap- 
proach we follow here is quite different from that used for the definition of CHP-Sl, which is 
based, on the syntactic side, on the Ctl* formula framework |Emerson and Halpern 1986] and, 
on the semantic one, on the two-player turn-based game model iPerrin and Pi n 20041 . 

The section is organized as follows. In Subsection l2.1l we recall the definition of concurrent game 
structure used to interpret Strategy Logic, whose syntax is introduced in Subsection 12.21 Then, in 
Subsection |2.3l we give, among the others, the notions of strategy and play, which are finally used, 
in Subsection l2.4l to define the semantics of the logic. 



2.1. Underlying framework 

As semantic framework for our logic language, we use a graph-based model for multi-player 
games named concurrent game structure OAlur et al. 20021 . Intuitively, this mathematical for- 
mahsm provides a generalization of Kripke structures [ [Kripke 1963] and labeled transition sys- 
tems BKeller 19761 , modeling multi-agent systems viewed as games, in which players perform con- 
current actions chosen strategically as a function on the history of the play. 

Definitional {Concurrent Game Structures). A concurrent game structure (Cgs, for short) 
is a tuple Q ^ (AP, Ag, Ac, St, A, r, sq), where AP and Ag are finite non-empty sets of atomic 
propositions and agents, Ac and St are enumerable non-empty sets of actions and states, sq e St 
is a designated initial state, and A : St ^ 2^ is a labeling function that maps each state to the 
set of atomic propositions true in that state. Let Dc = Ac^^ be the set of decisions, i.e., functions 



ACM Journal Name, Vol. V, No. N. Article A, Publication date: January YYYY. 



A;6 Fabio Mogavero et al. 

from Ag to Ac representing the choices of an action for each agent. Q Then, t : St x Dc — > St is a 
transition function mapping a pair of a state and a decision to a state. 

Observe that elements in St are not global states of the system, but states of the environment in 
which the agents operate. Thus, they can be viewed as states of the game, which do not include 
the local states of the agents. From a practical point of view, this means that all agents have per- 
fect information on the whole game, since local states are not taken into account in the choice of 
actions [ [Fagin et al. 1995] . Observe also that, differently from other similar formalizations, each 
agent has the same set of possible executable actions, independently of the current state and of 
choices made by other agents. However, as already reported in literature OPinchinat 2007 J . this sim- 
plifying choice does not result in a limitation of our semantics framework and allow us to give a 
simpler and clearer explanation of all formal definitions and techniques we work on. 

From now on, apart from the examples and if not differently stated, all Cgss are defined on 
the same sets of atomic propositions AP and agents Ag, so, when we introduce a new struc- 
ture in our reasonings, we do not make explicit their definition anymore. In addition, we use 
the italic letters p, a, c, and s, possibly with indexes, as meta-variables on, respectively, the 
atomic propositions p,q,... in AP, the agents a,/3,7, ... in Ag, the actions 0,1,... in Ac, 
and the states s, . . . in St. Finally, we use the name of a Cos as a subscript to extract the 
components from its tuple-structure. Accordingly, if Q = (AP, Ag, Ac, St, A, r, sp)^ we have 
that Acg = Ac, Xg = A, sqq = Sq, and so on. Furthermore, we use the same nota- 
tional concept to make explicit to which Cos the set Do of decisions is related to. Note that, 
we omit the subscripts if the structure can be unambiguously individuated from the context. 

Now, to get attitude to the introduced semantic framework, let 
us describe two running examples of simple concurrent games. In Q 
particular, we start by modeling the paper, rock, and scissor game. ~ 





Example 2.2 {Paper, Rock, and Scissor). Consider the classic ^-^^ 
two-player concurrent game paper, rock, and scissor (PRS, for short) ^ \^ 

as represented in Figure [T] where a play continues until one of the 
participants catches the move of the other Vertexes are states of the 

game and labels on edges represent decisions of agents or sets of \l \l 
them, where the symbol * is used in place of every possible action. In 

this specific case, since there are only two agents, the pair of symbols ^' Gprs- 

** indicates the whole set Dc of decisions. The agents "Alice" and "Bob" in Ag = {A, B} have 
as possible actions those in the set Ac = {P. R, S}, which stand for "paper", "rock", and "scissor", 
respectively. During the play, the game can stay in one of the three states in St = {si,SA,SB}, 
which represent, respectively, the waiting moment, named idle, and the two winner positions. 
The latter ones are labeled with one of the atomic propositions in AP = {wa,wb}, in order to 
represent who is the winner. The catch of one action over another is described by the relation 
C = {(P,R),(R,S),(S,P)} C Ac X Ac. We can now define the Cos Gprs = (AP, Ag, Ac, St, A, 
T, Si) for the PRS game, with the labeling given by A(sj) = 0, A(sa) = {wa}, and A(sb) = {wb} 
and the transition function set as follows, where Da = {d e Dc^p^g : (d(A),d(B)) G C} and 
Db = {d e Dcsprs ■ ('^(^)j € C} are the sets of winning decisions for the two agents: if 

s = Si and d G Da then r(s,d) = sa, else if s = and d G Db then r(s,d) = sb, otherwise 
r(s, d) ^ s. Note that, when none of the two agents catches the action of the other, i.e., the used 
decision is in D^ ^ Dcgp^^ \ (Da U Db), the play remains in the idle state to allow another try, 
otherwise it is stuck in a winning position forever. 



'^In the following, we use both X — > Y and Y-^ to denote the set of functions from the domain X to the codomain Y. 
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We now describe a non-classic qualitative version of the well- 
known prisoner's dilemma. 

Example23 [Prisoner's Dilemma). In the prisoner's dilemma 
(PD, for short), two accomplices are interrogated in separated rooms 
by the police, which offers them the same agreement. If one defects, 
i.e., testifies for the prosecution against the other, while the other co- 
operates, i.e., remains silent, the defector goes free and the silent ac- 
complice goes to jail. If both cooperate, they remain free, but will 
be surely interrogated in the next future waiting for a defection. On 
the other hand, if every one defects, both go to jail. It is ensured p^g 2- The Cos Qpd 
that no one will know about the choice made by the other. This 

tricky situation can be modeled by the Cos Qpd = (AP, Ag, Ac, St, A, r, s^) depicted in Figure|2l 
where the agents "Accomplice- 1" and "Accomplice-2" in Ag = {Ai, A2} can chose an action in 
Ac = {C, D}, which stand for "cooperation" and "defection", respectively. There are four states in 
St = {sj , , , Sj }. In the idle state Sj the agents are waiting for the interrogation, while Sj rep- 
resents the jail for both of them. The remaining states sa^ and SAa indicate, instead, the situations in 
which only one of the agents become definitely free. To characterize the different meaning of these 
states, we use the atomic propositions in AP = {fA^ , fAa}' which denote who is "free", by defining 
the following labeling: A(s.j) = {fA^ , fAa}, A(sai ) = {fAj, A(sa2) ^ {fAa}, and A(sj) = 0. The 
transition function t can be easily deduced by the figure. 

2.2. Syntax 

Strategy Logic (Sl, for short) syntactically extends Ltl by means of two strategy quantifiers, the 
existential {{x)) and the universal [x]], and agent binding (a, x), where a is an agent and x a variable. 
Intuitively, these new elements can be respectively read as "there exists a strategy x", "for all 
strategies x", and "bind agent a to the strategy associated with the variable x" . The formal syntax 
of Sl follows. 

Definition 2.4 (Sl Syntax). S^L formulas are built inductively from the sets of atomic proposi- 
tions AP, variables Var, and agents Ag, by using the following grammar, where p G AP, x G Var, 
and a E Ag: 

<f.:^p\^ip\ip/\f\fVip\Xf\(p\J(p\(pRLp \ {{x))lp I [[x]](p I {a,x)Lp. 
Sl denotes the infinite set of formulas generated by the above rules. 

Observe that, by construction, Ltl is a proper syntactic fragment of Sl, i.e., Ltl C Sl. In order to 
abbreviate the writing of formulas, we use the boolean values true t and false f and the well-known 
temporal operators future F = t U and globally G (p = f R (p. Moreover, we use the italic letters 
X, y,z, . . ., possibly with indexes, as meta-variables on the variables x, y, z, . . . in Var. 

A first classic notation related to the Sl syntax that we need to introduce is that of subformula, 
i.e., a syntactic expression that is part of an a priori given formula. By sub : Sl — > 2^^ we formally 
denote the function returning the set of subformulas of an Sl formula. For instance, consider (p — 
((x))(a,x)(F p). Then, it is immediate to see that sub{(p) = {(p, (a,x)(F p), (F p), p, t}. 

Normally, predicative logics need the concepts of free and bound placeholders in order to for- 
mally define the meaning of their formulas. The placeholders are used to represent particular po- 
sitions in syntactic expressions that have to be highlighted, since they have a crucial role in the 
definition of the semantics. In first order logic, for instance, there is only one type of placeholders, 
which is represented by the variables. In Sl, instead, we have both agents and variables as placehold- 
ers, as it can be noted by its syntax, in order to distinguish between the quantification of a strategy 
and its application by an agent. Consequently, we need a way to differentiate if an agent has an 
associated strategy via a variable and if a variable is quantified. To do this, we use the set of free 
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agents/variables as the subset of Ag U Var containing ( i) all agents for which there is no binding 
after the occurrence of a temporal operator and ( ii) all variables for which there is a binding but no 
quantifications. 

Definition 2.5 (Sl Free AgentsA/ariables). The set of free agents/variables of an Sl formula is 
given by the function free : Sl 2"^suVar (jgfjjjed as follows: 

(i) free(p) = 0, where p G AP; 

(ii) free(-i<y9) ^ free(iy9); 

(iii) free(iy9iOp 1^2) — free(iy9i) U free(iy92), where Op G {A, V}; 

(iv) free(X (^) = Ag U free((^); 

(v) free((/3iOp ip2) = Ag U free((/3i) U free(</32), where Op G {U, R}; 

(vi) free(Qn Lp) ^ free(</j) \ {x}, where Qn G {((a;)), [[x]] : x G Var}; 

(vii) free((a, x)Lp) = free((^), if a ^ free(</?), where a G Ag and x G Var; 

(viii) free((a, x)Lp) = (free((y9) \ {a}) U {x}, if a G free((/3), where a G Ag and x G Var. 

A formula without free agents (resp., variables), i.e., with free((^)nAg = (resp., free((/3)nVar = 
0), is named agent-closed (resp., variable-closed). If tp is both agent- and variable-closed, it is 
referred to as a sentence. The function snt : Sl 2^^ returns the set of subsentences snt{ip) = 
{(/) G 5uh{ip) : free(0) = 0} for each Sl formula ip. 

Observe that, on one hand, free agents are introduced in Items |iv] and |v] and removed in Item Iviiil 
On the other hand, free variables are introduced in Item lviiil and removed in Item|vil As an example, 
let <p = ((x))(a,x)(/3,y)(F p) be a formula on the agents Ag = {a, /3, 7}. Then, we have free((/3) = 
{7, y}, since 7 is an agent without any binding after F p and y has no quantification at all. Consider 
also the formulas {a,z)ip and (7, z)ip, where the subformula ip is the same as above. Then, we have 
free((a, z)(p) = free{tp) and free((7, z)(p) — {y, z}, since a is not free in iphut 7 is, i.e., a ^ free{ip) 
and 7 G free{(p). So, (7, z)(p is agent-closed while (a, z)ip is not. 

Similarly to the case of first order logic, another important concept that characterizes the syn- 
tax of Sl is that of the alternation number of quantifiers, i.e., the maximum number of quantifier 
switches ((■))[[■]], [[■]]((•)), ((•))-'((•)), or [[-J^I-]] that bind a variable in a subformula that is not a 
sentence. The constraint on the kind of subformulas that are considered here means that, when we 
evaluate the number of such switches, we consider each possible subsentence as an atomic propo- 
sition, hence, its quantifiers are not taken into account. Moreover, it is important to observe that 
vacuous quantifications, i.e., quantifications on variable that are not free in the immediate inner 
subformula, need to be not considered at all in the counting of quantifier switches. This value is 
crucial when we want to analyze the complexity of the decision problems of fragments of our logic, 
since higher alternation can usually mean higher complexity. By alt : Sl — > N we formally de- 
note the function returning the alternation number of an Sl formula. Furthermore, the fragment 
SL[k-alt] = G Sl : Mip' G sub((^) . alt(<^') < k} of Sl, for fc G N, denotes the subset of 
formulas having all subformulas with alternation number bounded by fc. For instance, consider the 
sentence Lp = [[x]]((y))(a,x)(/3,y)(F ip') with Lp' = [[x]]((y))(a,x)(/3,y)(X p), on the set of agents 
Ag — {a, /3}. Then, the alternation number alt((p) is 1 and not 3, as one can think at a first glance, 
since p' is a sentence. Moreover, it holds that alt((y3') = 1. Hence, G SL[l-alt]. On the other hand, 
if we substitute p' with p" = [[x]](a, x)(X p), we have that a\t{p}) = 2, since p" is not a sentence. 
Thus, it holds that ip ^ SL[l-alt] but ip G SL[2-alt]. 

At this point, in order to practice with the syntax of our logic by expressing game-theoretic 
concepts through formulas, we describe two examples of important properties that are possible to 
write in Sl, but neither in Atl* liAlur et al. 20021 nor in CHP-Sl. This is clarified later in the 
paper The first concept we introduce is the well-known deterministic concurrent multi-player Nash 
equilibrium for Boolean valued payoffs. 
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Example 2.6 {Nash Equilibrium). Consider the n agents ai, . . . , a„ of a game, each of them 
having, respectively, a possibly different temporal goal described by one of the Ltl formulas 
V'l,- • -ytpn- Then, we can express the existence of a strategy profile (xi, . . . ,x„) that is a Nash 
equilibrium (NE, for short) for ai, . . . , a„ w.rt. -i/ii , . . . , -0„ by using the SL[l-alt] sentence (/Jjve = 
((xi))(q;i,Xi) ■ • • ((x„))(a„,x„) ipNE, where ipNE = ALi(((y)) v)"^*) ^ V'i is a variable-closed 
formula. Informally, this asserts that every agent ai has x^ as one of the best strategy w.rt. the goal 
ipi, once all the other strategies of the remaining agents aj, with j ^ i, have been fixed to Xj. Note 
that here we are only considering equilibria under deterministic strategies. 

As in physics, also in game theory an equilibrium is not always stable. Indeed, there are games 
like the PD of Example |2.3 on page 7| having Nash equilibria that are instable. One of the simplest 
concepts of stability that is possible to think is called stability profile. 

Example 2.7 {Stability Profile). Think about the same situation of the above example on NE. 
Then, a stability profile (SP, for short) is a strategy profile (xi,...,x„) for ai,...,a„ w.rt. 
ij^i, . . . jipn such that there is no agent ai that can choose a different strategy from x^ without chang- 
ing its own payoff and penalizing the payoff of another agent aj, with j ^ i. To represent the exis- 
tence of such a profile, we can use the SL[l-alt] sentence Lpsp — ((xiM^i, Xi) • • • ((x„))(a„, Xn)?/^^. 

where Vsp = /\lj=i.i^ji^j ^ [[y]](('0i ^ {ai,y)i>i) (a.^, y)V'j)- Informally, with the Vsp 
subformula, we assert that, if aj is able to achieve his goal ^j, all strategies y of ai that left 
unchanged the payoff related to tpi, also let aj to maintain his achieved goal. At this point, it 
is very easy to ensure the existence of an NE that is also an SP, by using the SL[l-alt] sentence 

VSNE = ((xi))(ai,xi) • • • ((x„))(a„,x„) ipsp A i/W. 

2.3. Basic concepts 

Before continuing with the description of our logic, we have to introduce some basic concepts, re- 
garding a generic Cos, that are at the base of the semantics formalization. Remind that a description 
of used mathematical notation is reported in AppendixlAl 

We start with the notions of track and path. Intuitively, tracks and paths of a Cgs G are legal 
sequences of reachable states in Q that can be respectively seen as partial and complete descriptions 
of possible outcomes of the game modeled by Q itself. 

Definition 2.8 {Tracks and Paths). A track (resp., path) in a Cgs Q is a finite (resp., an infinite) 
sequence of states p e St* (resp., tt G St") such that, for all i G [0, |p| — 1[ (resp., i G N), 
there exists a decision d G Dc such that {p)i+i = r((p)j,d) (resp., {TT)i+i = r((7r)i, d)). Q A 
track p is non-trivial if it has non-zero length, i.e., \p\ > that is p 7^ e. The set Trk C St^ 
(resp., Pth C St"^) contains all non-trivial tracks (resp., paths). Moreover, Trk(s) = {p G Trk : 
fst(p) = s} (resp., Pth(s) = {tt G Pth : fst(7r) — s}) indicates the subsets of tracks (resp., paths) 
starting at a state s G St.|j 

For instance, consider the PRS game of Example |2.2 on page 6| Then, p = ■ sa G St^ and 
TT = Si" G St" are, respectively, a track and a path in the Cos Gpbs- Moreover, it holds that 
Trk = s,+ + s,* • (SA+ + SB+) and Pth = s," + s,* • (sa" + Sb"). 

At this point, we can define the concept of strategy. Intuitively, a strategy is a scheme for an agent 
that contains all choices of actions as a function of the history of the current outcome. However, 
observe that here we do not set an a priori connection between a strategy and an agent, since the 
same strategy can be used by more than one agent at the same time. 



^The notation {w)i G S indicates the element of index i G [0, |to| [ of a non-empty sequence to G S 
■^Tlie Greek letter e stands for tlie empty sequence. 

^By fst(«)) = (ui)o it is denoted first element of a non-empty sequence w G S°°. 
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Definition 2.9 {Strategies). A strategy in a CGS Q is a partial function f : Trk ^ Ac that maps 
each non-trivial track in its domain to an action. For a state s e St, a strategy f is said s-total if 
it is defined on all tracks starting in s, i.e., dom (f) = Trk(s). The set Str = Trk ^ Ac (resp., 
Str(,s) ^ Trk(.s) — > Ac) contains all (resp., s-total) strategies. 

An example of strategy in the Cos Qprs is the function fi G Str(si) that maps each track having 
length multiple of 3 to the action P, the tracks whose remainder of length modulo 3 is 1 to the action 
R, and the remaining tracks to the action S. A different strategy is given by the function f2 £ Str(si) 
that returns the action P, if the tracks ends in sa or sb or if its length is neither a second nor a third 
power of a positive number, the action R, if the length is a square power, and the action S, otherwise. 

An important operation on strategies is that of translation along a given track, which is used to 
determine which part of a strategy has yet to be used in the game. 

Definition 2.10 {Strategy Translation). Let f G Str be a strategy and p £ dom(f) a track in its 
domain. Then, (f)p e Str denotes the translation of f along p, i.e., the strategy with dom((f)p) = 
{p' G Trk(lst(p)) : p ■ p'^^ e dom(f)} such that (f)p(p') ^ f(p • p'^^), for all p' G dom((f)p).E|0 

Intuitively, the translation (f)p is the update of the strategy f, once the history of the game becomes 
p. It is important to observe that, if f is a fst(/3)-total strategy then (f )p is lst(/3)-total. For instance, 
consider the two tracks pi = s^"* G Trk(si) and p2 ~ s^* ■ sa^ G Trk(si) in the Cos Qprs and the 
strategy fi G Str(si) previously described. Then, we have that (fi)pi = fi, while (fi)p2 G Str(sA) 
maps each track having length multiple of 3 to the action S, each track whose remainder of length 
modulo 3 is 1 to the action P, and the remaining tracks to the action R. 

We now introduce the notion of assignment. Intuitively, an assignment gives a val- 
uation of variables with strategies, where the latter are used to determine the behav- 
ior of agents in the game. With more detail, as in the case of first order logic, 
we use this concept as a technical tool to quantify over strategies associated with 
variables, independently of agents to which they are related to. So, assignments are 
used precisely as a way to define a correspondence between variables and agents via strategies. 

Definition 2.11 {Assignments) . An assignment in a Cgs is a partial function x '■ Var U Ag 
Str mapping variables and agents in its domain to a strategy. An assignment x is complete if it 
is defined on all agents, i.e., Ag C dom(x). For a state s G St, it is said that x is s-total if all 
strategies x(0 ^i'^ s-total, for / G dom(x). The set Asg = Var U Ag ^ Str (resp., Asg(s) = 
VarU Ag ^ Str(s)) contains all (resp., s-total) assignments. Moreover, Asg(X) = X — Str (resp., 
Asg(X, s) = X — )> Str(s)) indicates the subset of X-defined (resp., s-total) assignments, i.e., (resp., 
s-total) assignments defined on the set X C Var U Ag. 

As an example of assignment, let us consider the function xi £ Asg in the Cos Qprs, defined 
on the set {A,x}, whose values are fi on A and f2 on x, where the strategies fi,f2 G Str(si) are 
those described above. Another examples is given by the assignment X2 £ Asg, defined on the set 
{A, B}, such that X2(A) = Xi(x) and X2(B) = Xi(A)- Note that both are s^-total and the latter is 
also complete while the former is not. 

As in the case of strategies, it is useful to define the operation of translation along a given track 
for assignments too. 

Definition 2.12 {Assignment Translation). For a given state s G St, let x £ Asg(s) be an s- 
total assignment and p G Trk(s) a track. Then, (x)p G Asg(lst(/3)) denotes the translation of x 
along p, i.e., the lst(/3)-total assignment, with dom((x)p) — dom(x), such that (x)p(O — (x(O)p' 
for all I G dom(x). 



^By Ist(ui) = (to)!^,! _i it is denoted the last element of a finite non-empty sequence ui S S*. 

^The notation (ui)>j S S°° indicates the iMj^arfrom index i G [0, |io|] inwards of anon-empty sequence to G S' 
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Intuitively, the translation {x)p is the simultaneous update of all strategies x{l) defined by the as- 
signment X, once the history of the game becomes p. 

Given an assignment x, an agent or variable I, and a strategy f , it is important to define a notation 
to represent the redefinition of x, i-e., a new assignment equal to the first on all elements of its 
domain but on which it assumes the value f . 

Definition 2.13 {Assignment Redefinition). Let x G Asg be an assignment, f G Str a strategy 
and I G Var U Ag either an agent or a variable. Then, f] G Asg denotes the new assignment 

defined on dom(x[? f]) — dom(x) U {/} that returns f on I and is equal to x on the remaining 
part of its domain, i.e., x[l ^ f](0 - f and x[l ^ W) - x{l')^ for all I' G dom(x) \ {0- 

Intuitively, if we have to add or update a strategy that needs to be bound by an agent or variable, 
we can simply take the old assignment and redefine it by using the above notation. It is worth to 
observe that, if x and f are s-total then f] is s-total too. 

Now, we can introduce the concept of play in a game. Intuitively, a play is the unique outcome of 
the game determined by all agent strategies participating to it. 

Definition 2.14 (Plays). A path tt G Pth(s) starting at a state s G St is a play w.r.t. a complete 
s-total assignment x G Asg(s) ((x, s)-play, for short) if, for all i G N, it holds that {Tr)i+i = 
r((7r)i,d), where d(a) = x(a)((7i')<i), for each a G Ag. [] The partial function play : Asg x St ^ 
Pth, with dom(play) = {(x, s) : Ag C dom(x) A x G Asg(s) A s G St}, returns the (x, s)-play 
play(x, s) G Pth(s), for all pairs (x, s) in its domain. 

As a last example, consider again the complete s^-total assignment X2 previously described for the 
Cos QpRs, which returns the strategies f2 and fi on the agents A and B, respectively. Then, we have 
that play(x2, s^) — s.^" ■ sb". This means that the play is won by the agent B. 

Finally, we give the definition of global translation of a complete assignment together with a 
related state, which is used to calculate, at a certain step of the play, what is the current state and its 
updated assignment. 

Definition 2.15 [Global Translation). For a given state s G St and a complete s-total assign- 
ment X S Asg(s), the i-th global translation of (x, s), with i G N, is the pair of a complete 
assignment and a state (x, s)* = ((x)(ir)<ii {T^)i)^ where tt = play(x, s). 

In order to avoid any ambiguity of interpretation of the described notions, we may use the name 
of a CGS as a subscript of the sets and functions just introduced to clarify to which structure they 
are related to, as in the case of components in the tuple-structure of the Cgs itself. 

2.4. Semantics 

As already reported at the beginning of this section, just like Atl* and differently from CHP-Sl, 
the semantics of Sl is defined w.rt. concurrent game structures. For a CGS Q, one of its states s, and 
an s-total assignment x with free((^) C dom(x), we write x, s \= ip to indicate that the formula 
ip holds at s in under x- The semantics of Sl formulas involving the atomic propositions, the 
Boolean connectives ^, A, and V, as well as the temporal operators X, U, and R is defined as usual 
in Ltl. The novel part resides in the formalization of the meaning of strategy quantifications ((a;)) 
and [x]] and agent binding (a, x). 

Definition!. 16 {Sl Semantics). Given a Cgs G, for all Sl formulas p, states s G St, and 
s-total assignments x G Asg(s) with free((/3) C dom(x), the modeling relation G,X^s ^ p is 
inductively defined as follows. 

(1) g,X:s\^pifpe A(s), with p G AP. 

(2) For all formulas p, pi, and p2, it holds that: 



''^The notation (ui)<j g S* indicates the prefix up to index i g [0, |ui|] of a non-empty sequence ui g E' 
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(a) 0, X, s h ^"P if not X, s h that is ^, x, s ^ (p; 

(b) 5, X, s ^ A (^2 if ^, X, s h <<5i and 0, x, s ^ (/J2; 

(c) X, s h V^i V (/32 if ^, X, s h "Pi- or 5, X, s h </'2- 

(3) For a variable x G Var and a formula it holds that: 

(a) QtXtS 1= {{x))(p if there exists an s-total strategy f G Str(s) such that Q, x[x i-^ f], s |= </?; 

(b) 0, X; s 1= ^x]\(p if for all s-total strategies f G Str(s) it holds that Q, x[x ^ f], s \= (p. 

(4) For an agent a G Ag, a variable a; G Var, and a formula (p, it holds that Q,x,s 1= (a, x)^? if 
^,x[a i-> x(2:)],s 1= y). 

(5) Finally, if the assignment x is also complete, for all formulas (p, (pi, and (p2, it holds that: 

(a) g,x,shx^ifg,(x,5)i h"^; 

(b) Q,XiS 1= </3iU (^2 if there is an index z G N with k < i such that t/, (x, s)' |= (^2 and, for 
all indexes j G N with k < j < i, it holds that (%, sy \= ipi; 

(c) C/, X, s H (ySiR (^22 if, for all indexes i G N with < i, it holds that Q, (x, s)' |= '^32 or there 
is an index j G N with k < j < i such that Q, (x, s)^ |= (pi. 

Intuitively, at Items [3a|and[3bl respectively, we evaluate the existential ((.t)) and universal [[a;]] quan- 
tifiers over strategies, by associating them to the variable x. Moreover, at Item|4] by means of an 
agent binding (a, x), we commit the agent a to a strategy associated with the variable x. It is evident 
that, due to Items |5al|5b] and|5cl the Ltl semantics is simply embedded into the Sl one. 

In order to complete the description of the semantics, we now give the classic notions of model 
and satisfiability of an Sl sentence. 

Definition 2.17 (Sl Satisfiability). We say that a Cgs is a model of an Sl sentence (p, in 
symbols Q \= ip/xf Q, 0, sq |= (^.[3 In general, we also say that Q is a model for on s G St, in 
symbols Q,s ^ ip, if Q,0,s ^ ip. An Sl sentence ip is satisfiable if there is a model for it. 

It remains to introduce the concepts of implication and equivalence between Sl formulas, which 
are useful to describe transformations preserving the meaning of a specification. 

Definition 2.18 [Sh Implication and Equivalence). Given two Sl formulas ipi and p2 with 
free{ipi) = free((^2), we say that ipi implies (p2, in symbols (pi ^ (p2, if, for all Cgss Q, states 
s G St, and free((^i)-defined s-total assignments x S Asg(free((/3i), s), it holds that if 5, Xj s \= tpi 
then G,XtS H ^2- Accordingly, we say that ipi is equivalent to (p2, in symbols ipi = (p2, if both 
ipi ^ (p2 and ip2 ipi hold. 

In the rest of the paper, especially when we describe a decision procedure, we may consider 
formulas in existential normal fonn (enfi for short) and positive normal form (pnf, for short), i.e., 
formulas in which only existential quantifiers appear or in which the negation is applied only to 
atomic propositions. In fact, it is to this aim that we have considered in the syntax of Sl both the 
Boolean connectives A and V, the temporal operators U, and R, and the strategy quantifiers ((•)) and 
[[•]]. Indeed, all formulas can be linearly translated in pnf by using De Morgan's laws together with 
the following equivalences, which directly follow from the semantics of the logic: ip = X -^ip, 
-■((^lU 1P2) = hvi)^ hV2), -^{{x))ip = [[x]]^ip, and -^{a,x)ip = {a,x)^(p. 

At this point, in order to better understand the meaning of our Q 
logic, we discuss two examples in which we describe the evaluation ~ 
of the semantics of some formula w.rt. the a priori given Cgss. We 
start by explaining how a strategy can be shared by different agents. , 



^ 00 ** 01 

Example 2.19 {Shared Variable). Consider the SL[2-alt] sen- f^*^ 
tence ^ = ((x))[[y]]((z))((a,x)(/3,y)(X p) A («, y)(/3, z)(X q)). It ^ 
is immediate to note that both agents a and f3 use the strategy asso- 
ciated with y to achieve simultaneously the Ltl temporal goals X p 



Fig. 3: TheCGSt/si^. 



°The symbol stands for the empty function. 
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and Xq. A model for (/? is given by the Cos Qsv — ({Pj qji {«, /?}, 

{0, l},{so,si,S2,S3},A,T,so), where A(so) = 0, A(si) = {p}, A(s2) = {p,q}, A(s3) = {q}, 
t(so, (0, 0)) = Si, t(so, (0, 1)) = S2, t(so, (1, 0)) = S3, and all the remaining transitions (with any 
decision) go to Sq. In Figure [Ton the facing page we report a graphical representation of the struc- 



ture. Clearly, Qsv \= f^Y letting, on sq, the variables x to chose action (the goal {a, x)(/3, y)(X p) 
is satisfied for any choice of y, since we can move from Sq to either Si or S2, both labeled with p) 
and z to choose action 1 when y has action and, vice versa, when y has 1 (in both cases, the goal 
(a, y)(/3, z)(X q) is satisfied, since one can move from so to either S2 or S3, both labeled with q). 

We now discuss an application of the concepts of Nash equilibrium and stability profile to both 
the prisoner's dilemma and the paper, rock, and scissor game. 

Example 2.20 {Equilibrium Profiles). Let us first to consider the Cos Qpd of the prisoner's 
dilemma described in the Example |2. 3 on page 7| Intuitively, each of the two accomplices Ai and 
A2 want to avoid the prison. These goals can be, respectively, represented by the Ltl formulas 
V'Ai — G and — ^^A2 - The existence of a Nash equilibrium in Qpo for the two accomplices 
w.rt. the above goals can be written as (j>NE = ((xi))(Ai,Xi)((x2))(A2,X2) ipNE, where ipj^E == 
((((y)) (Ai , y)V'Ai ) V'Ai ) A ((((y) )(A2,y)V'A2) V'Aa ), which results to be an instantiation of the 
general sentence (p^E of Example |2.6 on page 9[ In the same way, the existence of a stable Nash 
equilibrium can be represented with the sentence (I)sne — ((xi))(Ai,Xi)((x2))(A2,X2) i/jne A tjjsp, 

where Vsp = {^1 ^ [[y]]((^2 ^ (A2,y)V'2) ^ (A2,y)V'i)) A (^-2 -> [[ y]]((^i ^ (Ai ,y)^i) ^ 
(Ai, y)-02)), which is a particular case of the sentence cpsNE of Example |2. 7 on page 9| Now, it is 
easy to see that Qpu \= 4>sne and, so, Qpp) ^ <j>NE- Indeed, an assignment x G Asgg^^ (Ag, s^), for 
which x(Ai)(si) — x(A2)(si) = D, is a stable equilibrium profile, i.e., it is such that C/pc, x, Si |= 
tpNE A 4'SP- This is due to the fact that, if an agent A^, for k G {1, 2}, choses another strategy 
f G Strgpj-, (si), he is still unable to achieve his goal ipk, i-C-, GpD,x[^k f], \^ ipk, so, he cannot 
improve his payoff. Moreover, this equilibrium is stable, since the payoff of an agent cannot be made 
worse by the changing of the strategy of the other agent. However, it is interesting to note that there 
are instable equilibria too. One of these is represented by the assignment x' G Asg^^^ (Ag, s^), for 
which x'(Ai)(si-') = x'(A2)(si-') = C, for all j e N. Indeed, we have that Qpd,x\ \= ^ne, since 
QPD, x'l Si h V"! and Qpd,x', h "02, but Qpd.x', ^SP- The latter property holds because, 
if one of the agents A^, for k € {1, 2}, choses a different strategy f G Str^p^^ (s^) for which there 
is a j S N such that f'(si^ ) = D, he cannot improve his payoff but makes surely worse the payoff of 
the other agent, i.e., QpD,x'[^k ^ f], Si |= -0^ but gpD,x'[^k ^-> f], s; ^ ips-k- Finally, consider 



the Cos Qpps of the paper, rock, and scissor game described in the Example 2.2 on page 6 together 
with the associated formula for the Nash equilibrium <j)NE — ((xi)) (A, xi)((x2))(B, X2) tp^E, where 

^NE = ((((y»(A,y)'0A) ■0a) a {{{{y)){B,y)ipB) ips) with -0a = F wa and Vb = F wb 
representing the Ltl temporal goals for Alice and Bob, respectively. Then, it is not hard to see that 
QpBS ^ 4>NE, i-C-, there are no Nash equilibria in this game, since there is necessarily an agent that 
can improve his/her payoff by changing his/her strategy. 

Finally, we want to remark that our semantics framework, based on concurrent game structures, 
is enough expressive to describe turn-based features in the multi-agent case too. This is possible by 
simply allowing the transition function to depend only on the choice of actions of an a priori given 
agent for each state. 

Definition 2.21 {Turn-Based Game Structures). A Cgs Q is turn-based if there exists a func- 
tion ?/ : St — Ag, named owner function, such that, for all states s e St and decisions di, d2 G Dc, 
it holds that if di(77(s)) = d2(?7(s)) then r(s, di) = r(s, d2). 

Intuitively, a Cos is turn-based if it is possible to associate with each state an agent, i.e., the owner 
of the state, which is responsible for the choice of the successor of that state. It is immediate to 
observe that 77 introduces a partitioning of the set of states into | rng(77) | components, each one ruled 
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by a single agent. Moreover, observe that a CGS having just one agent is trivially turn-based, since 
this agent is the only possible owner of all states. 

In the following, as one can expect, we also consider the case in which Sl has its semantics 
defined on turn-based Cos only. In such an eventuality, we name the resulting semantic fragment 
Turn-based Strategy Logic (Tb-Sl, for short) and refer to the related satisfiability concept as turn- 
based satisfiability. 

3. MODEL-CHECKING HARDNESS 

In this section, we show the non-elementary lower bound for the model-checking problem of Sl. 
Precisely, we prove that, for sentences having alternation number k, this problem is fc-ExpS PACE- 
HARD. To this aim, in Subsection 13. II we first recall syntax and semantics of QPtl QSistla 19831 . 
Then, in Subsection 13.21 we give a reduction from the satisfiability problem for this logic to the 
model-checking problem for Sl. 

3.1. Quantified propositional temporal logic 

Quantified Propositional Temporal Logic (QPtl, for short) syntactically extends the old-style tem- 
poral logic with the future F and global G operators by means of two proposition quantifiers, the 
existential 3q. and the universal Vg., where q is an atomic proposition. Intuitively, these elements 
can be respectively read as "there exists an evaluation of q" and "for all evaluations of q". The 
formal syntax of QPtl follows. 

Definition 3.1 (QPtl Syntax). QPtl formulas are built inductively from the sets of atomic 
propositions AP, by using the following grammar, where p G AP: 

if .:= p I -lip \ ipAip\ip\/ip\Xip \ Fiy9|Giy9| 3p.(p \ \fp.ip. 

QPtl denotes the infinite set of formulas generated by the above grammar 

Similarly to Sl, we use the concepts of subformula, free atomic proposition, sentence, and alter- 
nation number, together with the QPtl syntactic fragment of bounded alternation QPTL[fc-alt], with 

fc e N. 

In order to define the semantics of QPtl, we have first to introduce the concepts of truth evalua- 
tions used to interpret the meaning of atomic propositions at the passing of time. 

Definition 3.2 (Truth Evaluations). A temporal truth evaluation is a function tte : N — )■ {f, t} 
that maps each natural number to a Boolean value. Moreover, a propositional truth evaluation is a 
partial function pte : AP ^ TTE mapping every atomic proposition in its domain to a temporal 
truth evaluation. The sets TTE ^ N {f, t} and PTE = AP TTE contain, respectively, all 
temporal and propositional truth evaluations. 

At this point, we have the tool to define the interpretation of QPtl formulas. For a propositional 
truth evaluation pte with free{(p) C dom(pte) and a number fc, we write pte, fc ^ iy9 to indicate that 
the formula (p holds at the fc-th position of the pte. 

Definition 3.3 (QPTL Semantics). For all QPtl formulas ip, propositional truth evaluation 
pte G PTE with free{ip) C dom(pte), and numbers fc G N, the modeling relation pte, fc ^ ip 
is inductively defined as follows. 

(1) pte, fc ^ piff pte(p)(fc) =t, withpG AP. 

(2) For all formulas (p, (pi, and (p2, it holds that: 

(a) pte, fc \= iff not pte, k \= Lp, that is pte, k ^ f, 

(b) pte, k \^ ipi A f2 iff pte, fc ^ cpi and pte, fc \= ip2', 

(c) pte, k \= ifii y (p2 iff pte, fc ^ cpi or pte, k \= (p2', 

(d) pte, fc 1= X ^ iff pte, fc + 1 ^ ^; 

(e) pte, fc 1= F iy9 iff there is an index i G N with k < i such that pte, i \= (p; 
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(f) pte, fc 1= G iff, for all indexes i £ N with A; < z, it holds that pte, i f- 
(3) For an atomic proposition q € AP and a formula (p, it holds that: 

(a) pte, k \= 3q.(p iff there exists a temporal truth evaluation tte G TTE such that pte[i3' 
tte], k \^ Lp; 

(b) pte, k 1= \/q.(p iff for all temporal truth evaluations tte G TTE it holds that pte[q 

tte] ,k\=(p. 

Obviously, a QPtl sentence ip is satisfiable if 0, 1== Lp. Observe that the described semantics is 
slightly different but completely equivalent to that proposed and used in HSistla et al. 1987 1 to prove 
the non-elementary hardness result for the satisfiability problem. 

3.2. Non-elementary lower-bound 

We can show how the solution of QPtl satisfiability problem can be reduced to that of the model- 
checking problem for Sl, over a turn-based constant size Cos with a unique atomic proposition. 

In order to do this, we first prove the following auxiliary lemma, 
which actually represents the main step of the above mentioned reduc- 
tion. 




Lemma 3.4 (QPtl Reduction). There is a one-agent Cos Qmc 
such that, for each QPTL[fe-alt] sentence ip, with A; G N, there exists -pig 4- The Cos Q d 
an TB-SL[fc-alt] variable-closed formula Jp such that ip is satisfiable iff Gndc, Xi H ^> for all 
complete assignments x G Asg(Ag, sq). 

Proof. Consider the one-agent Cos CJt^^c — ({p}, {f, t}, {sq, Si}, A, r, sq) depicted in 
Figure in where the two actions are the Boolean values false and true and where the labeling and 
transition functions A and t are set as follows: A(so) ^ 0, A(si) ^ {p}, and T(s,d) — Sq iff 
d(a) = f, for all s G St and d G Dc. It is evident that Gndc is a turn-based Cos. Moreover, consider 
the transformation function " : QPTL — > Sl inductively defined as follows: 

— q = (a, Xg)X p, for q G AP; 

— 3qAp ^ {{xq))Tp; 

— Vg-y ^ K]]^; 

— Op (p = Op Ip, where Op G {->, X, F, G}; 

— (/3iOp iy92 — where Op G {A, V}. 

It is not hard to see that a QPtl formula 1^9 is a sentence iff 7p is variable-closed. Furthermore, we 
have that alt(^) = a\t{p). 

At this point, it remains to prove that, a QPtl sentence ip is satisfiable iff Qudc, X, sq for 
all total assignments x G Asgda}, Sg). To do this by induction on the structure of ip, we actually 
show a stronger result asserting that, for all subformulas ijj G suh{ip), propositional truth evaluations 
pte G PTE, and z G N, it holds that pte, i |= V iff QRdc, (Xj ^oY h for each total assignment 
X G Asgda} U {xg G Var : q G free(^)},So) such that x(xg)((7r)<„) = pte((j)(n), where 
TT = play(x, Sq), for all q G free('0) and n G [i, Lli[ . 

Here, we only show the base case of atomic propositions and the two inductive cases regarding 
the proposition quantifiers. The remaining cases of Boolean connectives and temporal operators are 
straightforward and left to the reader as a simple exercise. 

— i' = q- 

By Item[T]of Definition l3.3l of QPtl semantics, we have that pte, i |= g iff pte(g)(i) = i. Thus, 
due to the above constraint on the assignment, it follows that pte, i \= q iff x(xq)(('''')<i) = t- Now, 
by applying Items l4l and l5al of Definition 12. 161 of Sl semantics, we have that Qudc, {Xi^oV H 
(a,x,)X p iff Glide, (x'[a ^ x'(xq)],s')^ h P' where (x', s') ^ (x,So)'- At this point, due to the 
particular structure of the Cos GRdc, we have that Gndc, (x'[<^ ^ x'(xq)], s')^ h P iff (^')i = ^i' 
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where tt' = play(x'[Q; ^ x'(x<?)]i ■^O' which in turn is equivalent to x' {'>'-q){{'^')<o) — So, 
Gbac, (x,so)' h (a,Xg)X p iff x'(xq)((7r')<o) = t. Now, by observing that (7r')<o = (Tr)^ and 
using the above definition of x', we obtain that x'(xq)((7r')<o) = x{^q){M<i)- Hence, pte, i ^ q 
iffpte(g)(i) = x(xq)((7r)<0 = i = x'(xg)((7r')<o) iff 5mc, (x, sq)' h (a,Xg)Xp. 

— -0 = 3(7.-0'. 

[Only if]. If pte, i |= Bq.?/'', by Item[3alof Definition |3 . 31 there exists a temporal truth evaluation 
tte S TTE such that pte[q h-s- tte],i ^ 0'. Now, consider a strategy f G Str(so) such that 
f((7r)<n) = tte(7i), for all n e [«, w[ . Then, it is evident that x[xg H> f](xq')((7r)<„) = pte[g 
tte]{q')(n), for all G free(V-') and n E [i,Cij[- So, by the inductive hypothesis, it follows that 
SRdc, (x[xg ^ f], So)* h V"'- Thus^we have that gndc, {x, so)' h {{^q)W ■ 

[If]- If ^.dc, (x, So)* h ((xg))V'', there exists a strategy f £ Str(so) such that g^dc, (x[xg ^ 
f], So)* 1= 0'. Now, consider a temporal truth evaluation tte G TTE such that tte(n) — f((7r)<„), 
for all n G ■ Then, it is evident that x[xq n- f](xg')((7r)<„) = pte[(7 n- tte]((7')(n), for all 
q' G free(0) and n G So, by the inductive hypothesis, it follows that pte[g i-^ tte] ,i \= ip'. 

Thus, by Item[3alof Definition 13. 31 we have that pte, i \= 3q.ip'. 

— ip — \fq.ip'. 

[Only if]. For each strategy f G Str(so), consider a temporal truth evaluation tte G TTE 
such that tte(n) = f((7r)<„), for all n G ■ It is evident that xl^g f](xg' )((■"")<") = 

pte[q n> tte]{q'){n), for all q' G free(0) and n G . Now, since pte,« \= yq.i/j', by 

Item l3b] of Definition 13.31 it follows that pte[g h- > tte],i ^ ip'. So, by the inductive hypothe- 
sis, for each strategy f G Str(so), it holds that Qndc, (x[xg ^ f], Sq)* |= ■0'- Thus, we have that 

GRdc, (x,So)* h hqW- 

[If]. For each temporal truth evaluation tte G TTE, consider a strategy f G Str(so) such 
that f((7r)<„) = tte(n), for all n G . It is evident that x[xg i— > f](xq')((7r)<„) = pte[(7 ^ 
tte](g')(n), for all q' G free(-0) and n G [i, Now, since QudciXi^oY \= [[xg]]-0', it follows that 
GRdc, ixi^q f]; sq)* |= "0'- So, by the inductive hypothesis, for each temporal truth evaluation 
tte G TTE, it holds that pte[q tte], i ]= i>'. Thus, by Item l3b] of Definition |331 we have that 
pte, i ^ yq.^y . 

Thus, we are done with the proof. □ 

Now, we can show the full reduction that allows us to state the existence of a non-elementary 
lower-bound for the model-checking problem of Tb-Sl and, thus, of Sl. 

Theorem 3.5 (Tb-Sl Model-Checking Hardness). The model-checking problem for 

TB-SL[fc-alt] is fc-EXPSPACE-HARD. 

Proof. Let be a QPTL[fc-alt] sentence, Jp the related TB-SL[fc-alt] variable-closed formula, 
and Qndc the turn-based Cos of Lemma l3.4l of QPtl reduction. Then, by applying the previous men- 
tioned lemma, it is easy to see that ip is satisfiable iff Qndc ]= [[x]](a,x)^ iff QRdc \= ((x)) (a, x)^. 
Thus, the satisfiability problem for QPtl can be reduced to the model-checking problem for Tb-Sl. 
Now, since the satisfiability problem for QPTL[fc-alt] is /j-ExpS PACE-HARD I Sistlaetal. 19871 , we 
have that the model-checking problem for TB-SL[fc-alt] is fc-ExpS PACE-HARD as well. □ 

The following corollary is an immediate consequence of the previous theorem. 

Corollary 3.6 (Sl Model-Checking Hardness). The model-checking problem for 

SL[fc-alt] is /c-EXPSPACE-HARD. 
4. STRATEGY QUANTIFICATIONS 

Since model checking for Sl is non-elementary hard while the same problem for Atl* is only 
2ExpTime-COMPLETE, a question that naturally arises is whether there are proper fragments of 
Sl of practical interest, still strictly subsuming Atl*, that reside in such a complexity gap. In this 
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section, we answer positively to this question and go even further. Precisely, we enlighten a funda- 
mental property that, if satisfied, allows to retain a 2ExpTlME-COMPLETE model-checking problem. 
We refer to such a property as elementariness. To formally introduce this concept, we use the notion 
of dependence map as a machinery. 

The remaining part of this section is organized as follows. In Subsection 14. II we describe three 
syntactic fragments of Sl, named Sl[ng], Sl[bg], and Sl[1g], having the peculiarity to use strategy 
quantifications grouped in atomic blocks. Then, in Subsection 14.21 we define the notion of depen- 
dence map, which is used, in Subsection 14.31 to introduce the concept of elementariness. Finally, 
in Subsection 14.41 we prove a fundamental result, which is at the base of our elementary model- 
checking procedure for Sl[1g]. 

4.1. Syntactic fragments 

In order to formalize the syntactic fragments of Sl we want to investigate, we first need to define 
the concepts of quantification and binding prefixes. 

Definition A. \ {Prefixes). A quantification prefix over a set V C Var of variables is a finite 
word p G {{{x)), [[x]] : x £ V}'^' of length |V| such that each variable x € Y occurs just once in 
p, i.e., there is exactly one index i € [0, |V|[ such that (p)i e {{{x)), [[a^]]}. A binding prefix over 
a set of variables V C Var is a finite word b G {(a,a;) : a e Ag A x £ V}'^^' of length |Ag| 
such that each agent a G Ag occurs just once in b, i.e., there is exactly one index i G [0, | Ag| [ for 
which (b)i G {{a,x) : a; G V}. Finally, Qnt(V) C {{{x)), [[x]\ : x G Vjl^l and Bnd(V) C {{a,x) 
: a G Ag A a; G V}'^^' denote, respectively, the sets of all quantification and binding prefixes over 
variables in V. 

We now have all tools to define the syntactic fragments we want to analyze, which we name, re- 
spectively, Nested-Goal, Boolean-Goal, and One-Goal Strategy Logic (Sl[ng], Sl[bg], and Sl[1g], 
for short). For goal we mean an Sl agent-closed formula of the kind b(p, with Ag C free{ip), being 
b G Bnd(Var) a binding prefix. The idea behind Sl[ng] is that, when there is a quantification over a 
variable used in a goal, we are forced to quantify over all free variables of the inner subformula con- 
taining the goal itself, by using a quantification prefix. In this way, the subformula is build only by 
nesting and Boolean combinations of goals. In addition, with Sl[bg] we avoid nested goals sharing 
the variables of a same quantification prefix, but allow their Boolean combinations. Finally, Sl[1g] 
forces the use of a different quantification prefix for each single goal in the formula. The formal 
syntax of Sl[ng], Sl[bg], and Sl[1g] follows. 

Definition 4.2 {Sl[ng], Sl[bgI and Sl[Ig] Syntax). Sl[ng] formulas are built inductively 
from the sets of atomic propositions AP, quantification prefixes Qnt(V) for any V C Var, and 
binding prefixes Bnd(Var), by using the following grammar, with p G AP, p G UvcvaiQnt(V), 
and b G Bnd(Var): 

ip ::— p I -lip |(/9A(^|(^V<y9|X(^|(^U(^|(^R(^| pip \ [>p, 

where in the formation rule pip it is ensured that ip is agent-closed and p G Qnt{free{p)). 

In addition, Sl[bg] formulas are determined by splitting the above syntactic class in two different 

parts, of which the second is dedicated to build the Boolean combinations of goals avoiding their 

nesting: 

if ::— p I -lip \ ipAip\ip\/ip\Xip\ipUip\ipRip \ pip, 
ip ::= \>ip I ^■0 \ Ip Alp \ -ipW ip, 

where in the formation rule pip it is ensured that p G Qnt(free(V')). 

Finally, the simpler Sl[1g] formulas are obtained by forcing each goal to be coupled with a quan- 
tification prefix: 

ip ::— p I -^ip |(^A<y5|(/3V(^|X(/3|(/3U(/5|(/3R(/9| p\>ip, 
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where in the formation rule p\np it is ensured that p G Qnt(free(biy9)). 

Sl D Sl[ng] D Sl[bg] D Sl[1g] denotes the syntactic chain of infinite sets of formulas generated 
by the respective grammars with the associated constraints on free variables of goals. 

Intuitively, in Sl[ng], Sl[bg], and Sl[1g], we force the writing of formulas to use atomic blocks 
of quantifications and bindings, where the related free variables are strictly coupled with those that 
are effectively quantified in the prefix just before the binding. In a nutshell, we can only write 
formulas by using sentences of the form p'^ belonging to a kind of prenex normal form in which the 
quantifications contained into the matrix V' only belong to the prefixes p' of some inner subsentence 
pV' e snt(p-0). 

An Sl[ng] sentence is principal if it is of the form = pijj, where ijj is agent-closed and 
p e Qnt(free(-!/')). By psnt(</j) C snt((^) we denote the set of all principal subsentences of the 
formula ip. 

We now introduce other two general restrictions in which the numbers | Ag| of agents and | Var| of 
variables that are used to write a formula are fixed to the a priori values n, m G [1, , respectively. 
Moreover, we can also forbid the sharing of variables, i.e., each variable is binded to one agent only, 
so, we cannot force two agents to use the same strategy. We name these three fragments SL[n-ag], 
SL[m-var], and SL[fvs], respectively. Note that, in the one agent fragment, the restriction on the 
sharing of variables between agents, naturally, does not act, i.e., SL[l-ag, fvs] — SL[l-ag]. 

To start to practice with the above fragments, consider again the sentence ip of Exam- 
ple [ZT9]onpag£T2] It is easy to see that it actually belongs to Sl[bg, 2-ag, 3-var, 2-alt], and so, 
to Sl[ng], but not to Sl[1g], since it is of the form p(biX p A b2Xq), where the quantification 
prefix is p = ((x)) [[y]] ((z)) and the binding prefixes of the two goals are bi = (a,x)(/3,y) and 
b2 = (a,y)(/3,z). 

Along the paper, sometimes we assert that a given formula belongs to an Sl syntactic frag- 
ment also if its syntax does not precisely correspond to what is described by the relative gram- 
mar We do this in order to make easier the reading and interpretation of the formula itself 
and only in the case that it is simple to translate it into an equivalent formula that effectively be- 
longs to the intended logic, by means of a simple generalization of classic rules used to put a 
formula of first order logic in the prenex normal form. For example, consider the sentence i^ne 



of Example |2.6 on page 9 representing the existence of a Nash equilibrium. This formula is con- 
sidered to belong to Sl[bg, n-ag, 2n-var, fvs, 1-alt], since it can be easily translated in the form 
0m; = pALi''*^* ^ bV'i, where p = ((xi)) ■ ■ • ((x„)) [[yi]] • ■ ■ [[y„]], b = (q;i,Xi) • • • (a„,x„), 
bi = (ai,xi) ■ ■ ■ (ai^i,Xi_i)(ai,y,)(ai+i,x ,+i) ■ ■ ■ (a;n,X n), and free(^i) = Ag. As another ex- 
ample, consider the sentence ipsp of Example |2.7 on page 9| representing the existence of a stability 
profile. Also this formula is considered to belong to Sl[bg, n-ag, 2n-var, fvs, 1-alt], since it is equiv- 
alent to cj)sp = P Ai!j=i,i5^j t'V'i ((t'V'j ^ ^i'^i) biV'j)- Note that both (j)NE and cj)sp are 
principal sentences. 

Now, it is interesting to observe that Ctl* and Atl* are exactly equivalent to Sl[1g, fvs, 0-alt] 
and Sl[1g, fvs, 1-alt], respectively. Moreover, Gl lAlur et al. 20 02] is the very simple fragment of 
Sl[bg, fvs, 1-alt] that forces all goals in a formula to have a common part containing all variables 
quantified before the unique possible alternation of the quantification prefix. Finally, we have that 
CHP-Sl is the Tb-Sl[bg, 2-ag, fvs] fragment. 

Remark 4.3 (Tb-Sl[ng] Model-Checking Hardness). It is well-known that the non-elementary 
hardness result for the satisfiability problem of QPtl MSistla et al. 19871 already holds for formulas 
in prenex normal form. Now, it is not hard to see that the transformation described in Lemma [J4l 
of QPtl reduction puts QPTL[fc-alt] sentences if in prenex normal form into Tb-Sl[ng, 1-ag, fc-alt] 
variable-closed formulas Tp = pip. Moreover, the derived TB-SL[l-ag, fc-alt] sentence ((x)) (a, x)pi/) 
used in Theorem 13.51 of Tb-Sl model-checking hardness is equivalent to the Tb-Sl[ng, 1-ag, k- 
alt] principal sentence {{x))p{a,x)t(;, since x is not used in the quantification prefix p. Thus, the 
hardness result for the model-checking problem holds for Tb-Sl[ng, 1-ag, fc-alt] and, consequently. 
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for Sl[ng, 1-ag, fc-alt] as well. However, it is important to observe that, unfortunately, it is not know 
if such an hardness result holds for Tb-Sl[bg] or Sl[bg] and, in particular, for CHP-Sl. We leave 
this problem open here. 



y V 

Di DcgjXDi D2 Dcg^ \ D2 



tJ tJ U tJ 

(a) Cos Si. (b) Cos 02. 

Fig. 5: Altemation-2 non-equivalent Cgss. 

At this point, we prove that Atl* is strictly less expressive than Sl[1g] and, consequently, than 
Sl[bg] and Sl[ng]. To do this, we show the existence of two structures that result to be equivalent 
only w.r.t. sentences having alternation number bounded by 1. It can be interesting to note that, 
we use an ad-hoc technique based on a brute-force check to verify that all Atl* formulas cannot 
distinguish between the two structures. A possible future line of research is to study variants of 
the Ehrenfeucht-Fraisse game fEbbinghaus and Flum 1995 Hodges 19931 for Sl, which allow to 



determine whether two structures are or not equivalent w.r.t. a particular Sl fragment. 

Theorem 4.4 (Sl[1g] vs Atl* Expressiveness). There exists an Sl[1g, 3-ag, fvs, 2-alt] 
sentence having no Atl* equivalent. 

Proof. Consider the two Cgss Qi ^ ({p}, {a, /J, 7}, {0, 1}, {sq, si, S2}, A, n, so) and C/2 — 
({p},{a,/3,7},{0, l,2},{so,Si,S2},A,T2,So) depicted in Figure |5] where A(so) A(s2) ^ 0, 
A(si) = {p}, Di = {00*, 11*}, and D2 = {GO*, 11*, 12*, 200, 202, 211}. Moreover, consider the 
Sl[1g, 3-ag, fvs, 2-alt] sentence ip* = p*b*X p, where p* = [[x]] ((y)) [[z]] and b* = (a, x)(/3, y)(7, z). 
Then, it is easy to see that Qi ^ ip* but Q2 ^ f*. Indeed, ^i,xi,So |= t'*X p, for all 
Xi G Asgg^({x,y,z},So) such that Xi(y)(so) = xi(x)(so), and C/2,X2,So h -ip, for all 
X2 G Asgg^({x,y,z}, So) such that X2(x)(so) = 2 and X2(z)(so) = (x2(y)(so) + 1) mod 3. 

Now, due to the particular structure of the Cgss Qi under exam, with i e {1, 2}, for each path 
TT G Pthg;(so), we have that either A((7r)j) = {p} or A((7r)j) — 0, for all j G [1,(^[ , i.e., apart 
from the initial state, the path is completely labeled either with {p} or with 0. Thus, it is easy to see 
that, for each Atl* formula p\>ip, there is a literal l^, G {p, -ip} such that Qi \= pbip iff Qi |= pbXl^, 
for all i G {1,2}. W.l.o.g., we can suppose that b = b*, since we are always able to uniformly 
rename the variables of the quantification and binding prefixes without changing the meaning of the 
sentence. 

At this point, it is easy to see that there exists an index k G {1,2,3} for which it holds that either 
Pfcb*X/^ ^ pb*Xl^, or p\>*Xl^, ^ pi\>*Xl^, where pi ^ [[x]] [[z]] ((y)) , p2 ^ ((x)) ((y)) [[z]], and 
p3 = [[y]] [[z]] ((x)) . Thus, to prove that every Atl* formula cannot distinguish between Qi and Q2, 
we can simply show that the sentences pk\)*Xl, with k G {1, 2, 3} and I G {p, -ip}, do the same. In 
fact, it holds that Q., pfeb*X;, for all i G {1, 2}, k G {1, 2, 3}, and I G {p, -^p}. Hence, the thesis 
holds. The check of the latter fact is trivial and left to the reader as an exercise. □ 

4.2. Dependence Maps 

We now introduce the concept of dependence map of a quantification and show how any quantifica- 
tion prefix contained into an Sl formula can be represented by an adequate choice of a dependence 
map over strategies. The main idea here is inspired by what Skolem proposed for the first order 
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logic in order to eliminate each existential quantification over variables, by substituting them with 
second order existential quantifications over functions, whose choice is uniform w.r.t. the universal 
variables. 

First, we introduce some notation regarding quantification prefixes. Let p £ Qnt(V) be a quan- 
tification prefix over a set V(p) = V C Var of variables. By ((p)) = {x G V(p) : 3i G [0, 

|p|[ • (p)j = ii^))} ^iid [[p]] — V(p) \ ((p)) we denote, respectively, the sets of existential and 
universal variables quantified in p. For two variables x,y e V(p), we say that x precedes y in p, in 
symbols x<py, if x occurs before y in p, i.e., there are two indexes i, j G [0, |p| [, with i < j, such 
that (p),j e {{{x)), [[x]]} and {p)j e {((y)), [[y]]}- Moreover, we say that y is functional dependent 
on a;, in symbols x-^py, if a; e [[p]], y G ((p)), and x<py, i.e., y is existentially quantified after that 
X is universally quantified, so, there may be a dependence between a value chosen by x and that 
chosen by y. This definition induces the set Dep(p) = {{x, y) G V(p) x V(p) : x^p?/} of depen- 
dence pairs and its derived version Dep(p, y) = {a; G V(p) : a;^py} containing all variables from 
which y depends. Finally, we use p G Qnt(V(p)) to indicate the quantification derived from p by 
dualizing each quantifier contained in it, i.e., for all indexes z G [0, | p| [, it holds that (p)^ = ((x)) iff 
(p)i — [[^]]' with X G V(p). It is evident that ((p)) = [[p]] and [[p]] = ((p)). As an example, let p = 
[[x]]((y))((z))[[w]]((v)). Then, we have ((p)) = {y,z, v}, [[p]] = {x, w}, Dep(p,x) = Dcp(p, w) = 0, 
Dep(p,y) = Dep(p,z) = {x}, Dep(p, v) = {x, w}, and p = ((x)) [[y]] [[z]] ((w)) [[v]] . 

Finally, we define the notion of valuation of variables over a generic set D, called domain, i.e., 
a partial function v : Var ^ D mapping every variable in its domain to an element in D. By 
ValD(V) = V^D we denote the set of all valuation functions over D defined on V C Var. 

At this point, we give a general high-level semantics for the quantification prefixes by means of 
the following main definition of dependence map. 

Definition 4.5 {Dependence Maps). Let p G Qnt(V) be a quantification prefix over a set V C 
Var of variables, and D a set. Then, a dependence map for p over D is a function : ValD([[p]]) — > 
ValD(V) satisfying the following properties: 

(1) 0(v)r[y] =v, forall V G ValD([[p]]);0 

(2) 6'(vi)(x) = 6'(v2)(x),forall Vi,V2GValD([[p]]) andxG((p)) such that Vi fD„p(p ,,) =V2 fDop(p,x)- 
DMd(p) denotes the set of all dependence maps for p over D. 

Intuitively, Item [T] asserts that takes the same values of its argument w.rt. the universal variables 
in p and Item |2] ensures that the value of 9 w.r.t. an existential variable x in p does not depend 
on variables not in Dep(p, x). To get a better insight into this definition, a dependence map 9 for 
p can be considered as a set of Skolem functions that, given a value for each variable in V(p) 
that is universally quantified in p, returns a possible value for all the existential variables in p, 
in a way that is consistent w.r.t. the order of quantifications. Observe that, each 9 G DMd(p) is 

injective, so, |mg(6')| = |dom(6')| = |D| I Ml. Moreover, |DMd(p)| = n:re((p)) ■ 
As an example, let D = {0,1} and p — [[x]] ((y)) [[z]] G Qnt(V) be a quantification prefix over 
V — {x, y, z}. Then, we have that |DMd(p)| = 4 and |DMd(p)| = 8. Moreover, the dependence 
maps 9i G DMd(p) with i G [0, 3] and 9i G DMd(p) with i G [0, 7], for a particular fixed order, 
are such that 6'o(v)(y) = 0, 6'i(v)(y) = v(x), 6'2(v)(y) = 1 - v(x), and 6'3(v)(y) = 1, for all v G 
ValD([[p]]),and0i(v)(x) = Owithi G [0, 3], 0i(v)(x) = Iwithi G [4^7], ^o(v)(z)_= 04(v)(z) = 0, 
0i(v)(z) = 05(v)(z) = v(y), 02(v)(z) - 9e(y)iz) = 1 - v(y), and 03(v)(z) - 07(v)(z) - 1, for 
allvG Valodp]]). 

We now prove the following fundamental theorem that describes how to eliminate the strategy 
quantifications of an Sl formula via a choice of a suitable dependence map over strategies. This 



^By gfz : (X n Z) — > Y we denote the restriction of a function g : X — > Y to the elements in the set Z. 
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procedure can be seen as the equivalent of Skolemization in first order logic (see [ Hodges 1993) , for 
more details). 

Theorem 4.6 (Sl Strategy Quantification). Let Q be a Cos and ^ p^p an Sl for- 
mula, being p £ Qnt(V) a quantification prefix over a set V C free(V') H Var of variables. Then, 
for all assignments x G Asg(free(iy9), sq). the following holds: Q, Xt^o \= 'fi iff there exists a depen- 
dence map 9 e DMgtr(so)(p) that Q,x^ G{x')tSq ^ i',for all x' £ Asg([[p]], so).E3 

Proof. The proof proceeds by induction on the length of the quantification prefix p. For 
the base case \p\ = 0, the thesis immediately follows, since [[p]] = and, consequently, both 
DMgti.(5p)(p) and Asg([[p]], sq) contain the empty function only (we are assuming, by convention, 

that 0(0) = 0). 

We now prove, separately, the two directions of the inductive case. 

[Only if]. Suppose that Q, x, so \= 'P^ where p = Qn • p'. Then, two possible cases arise: either 
Qn = ((2;))orQn = H. 

-Qn ^{{x)). 

By ltem[3alof Definition l2.16l of Sl semantics, there is a strategy f e Str(so) such that Q. x[x ^ 
f],so H pV- Note that [[p]] = [[p']]. By the inductive hypothesis, we have that there exists 
a dependence map 9 e DMgti.(s(,)(p') such that Q,x[^ i-> f] lUJ 9[x')iSo ^ ip, for all x' G 
Asg([[p']], So). Now, consider the function 9' : Asg([[p]], sq) — > Asg(V, so) defined by 9'{x') — 
9{x')[^ I— f], for all x' G Asg([[p]], sq). It is easy to check that 9' is a dependence map for p over 
Str(so), i.e., 9' £ DMstr(so) (p)- Moreover, x[x f ] ^ 0{x') = X P 9{x')[x ^ f ] = X 0'{x')^ 
for x' G Asg([[p]], so). Hence, 5, x P 9\x'), so h V'. for all x' G Asg([[p]], sq). 

— Qn = [[x]]. 

By Item [3bl of Definition 12.161 we have that, for all strategies f G Str(so), it holds that xi^ ^ 
f],so [= pV- Note that [[p]] — [[p']]U{a;}. By the inductivehypothesis, we derive that, for eachf e 
Str(so), there exists a dependence map 9f G DMstr(so) (p') such that Q, x[x M> f ] y 9f{x'), sq ^ 
')/', for all x' G Asg([[p']], so). Now, consider the function 9' : Asg([[p]],so) — > Asg(V, so) 
defined by 9'{x') - ^x'{x)(x' \-ipq)[x ^ x'{x)], for all x' G Asg([[p]], sq). It is evident that 9' is 
a dependence map for p over Str(so), i.e., 9' G DMgtr(so) (p)- Moreover, x[x f] ItU df{x') = 
X lyj 9f{x')[x ^ f] = X ^ 9'{x'[x ^ f]), for f G Str(so) and x' G Asg([[p']], so). Hence, 
e,X^^?'(x'),so hV',forallx' G Asg([[p]],so). 

[If]. Suppose that there exists a dependence map 9 G DMgti.(s„)(p) such that Q,x^ ^(x')i ■^o H 
-!/>, for all x' G Asg([[p]], So), where p = Qn • p'. Then, two possible cases arise: either Qn = {{x)) 
or Qn = [[a;]]. 

-Qn ={{x)). 

There is a strategy f G Str(so) such that f = 9{x'){x), for all x' G Asg([[p]], sq). Note that 
[[p]] = [[p']]. Consider the function 9' : Asg([[p']], so) ^ Asg(V \ {x}, sq) defined by 9'{x') = 
0(x') r(v\{x})i for all x' G Asg([[p']], sq). It is easy to check that 9' is a dependence map for p' 
over Str(so), i.e., 9' G DMstr(.o)(p')- Moreover, x ^(x') = X ^ 0'ix')[x ^ ^ x[x ^ 
f] lyj 9'{x')^ for x' G Asg([[p']], So). Then, it is evident that G, x[x f] W 9'{x'),so |= ip, for all 
x' G Asg([[p']], So). By the inductive hypothesis, we derive that Q, x[x M> f], so |= p''ip, which 
means that G, X: ^o H tiy ltem|3a]of Definition |TT6] of Sl semantics. 

— Qn = [[x]]. 

First note that [[p]] — [[p']] U {a;}. Also, consider the functions 9f : Asg([[p']], so) — > Asg(V \ 
{a;}, So) defined by 9f{x') = 9{x'[x ^ f])t(v\{x}), for eachf G Str(so) and x' G Asg([[p']], sq). 



^"By gi l!iJ g2 ; (Xi U X2) — >■ (Yi U Y2) we denote the operation of union of two functions gi : Xi — > Yi and 
g2 : X2 — > Y2 defined on disjoint domains, i.e., Xi n X2 = 0. 
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It is easy to see that every 9^ is a dependence map for p' over Str(so), i.e.. Of G DMgtr(so) (p')- 

Moreover, x ^ ^(x') = ^'x' i-MtP'd^'^ ^ ^'(^)] = ^'(^)] ^ ^x'(-)(^'[[p']])' f""" 

X' e Asg([[p]], So). Then, it is evident that G, x[x -J- f ] Ofix'),SQ ^ V. for all f G Str(so) and 
X' € AsgdJp']], So). By the inductive hypothesis, we derive that Q, x[x H> f], so ^ p'lp, for all 
f G Str(so), which means that Q, Xj so \= by Item l3b] of Definitionl 2. 161 

Thus, the thesis of the theorem holds. □ 

As an immediate consequence of the previous result, we derive the following corollary. 

Corollary 4.7 (Sl Strategy Quantification). Let Q be a Cos and ^ pip an Sl 
sentence, where ip is agent- closed and p G Qnt (free (?/;)). Then, Q |= ijf there exists a dependence 
map 9 G DMstr(so)(p) ^"ch that g,d{x), sq \= xp, for all x e Asg([[p]], so). 

4.3. Elementary quantifications 

We now have all tools we need to introduce the property of elementariness for a particular class of 
dependence maps. Intuitively, a dependence map over functions from a set T to a set D is elementary 
if it can be split into a set of dependence maps over D, one for each element of T. This idea 
allows us to enormously simplify the reasoning about strategy quantifications, since we can reduce 
them to a set of quantifications over actions, one for each track in their domains. This means that, 
under certain conditions, we can transform a dependence map 9 G DMstr(s) (p) over strategies in a 

function 9 : Trk(s) — DMac(p) that associates with each track a dependence map over actions. 

To formally develop the above idea, we have first to introduce the generic concept of adjoint 
function and state an auxiliary lemma. 

Definition 4.8 {Adjoint Functions). Let D, T, U, and V be four sets, and m : (T — > D)^ 
(T D)^ and fn : T ^ (D^ D^) two functions. Then, m is the adjoint of m if 
m{t){g{t)){x) ^ m(g)(a;)(t),forallg G (T ^ D)", x G V, and t G tQ 

Intuitively, m is the adjoint of m if the dependence from the set T in both domain and codomain 
of the latter can be extracted and put as a common factor of the functor given by the former. This 
means also that, for every pair of functions gi, g2 G (T — s> D)^ such that gi (t) — §2 (t) for some 
t G T, it holds that m{gi){x){t) = m{g2){x){t), for all a; G V. It is immediate to observe that if a 
function has an adjoint then this adjoint is unique. At the same way, if one has an adjoint function 
then it is possible to determine the original function without any ambiguity. Thus, it is established a 
one-to-one correspondence between functions admitting an adjoint and the adjoint itself. 

Next lemma formally states the property briefly described above, i.e., that each dependence map 
over a set T ^ D, admitting an adjoint function, can be represented as a function, with T as domain, 
which returns dependence maps over D as values. 

Lemma 4.9 (Adjoint Dependence Maps). Let p g Qnt(V) be a quantification prefix over 
a set V C Var of variables, D and T two sets, and 9 : ValT^-D ( [[p]] ) ^ Valx-j-o (V) and 9 : T 
(ValD([[p]]) — > ValD(V)) two functions such that 9 is the adjoint of 9. Then, 9 G DMT-i.D(p) iff' 
for all t eT, it holds that 9{t) G DMd(p). 

We now define the formal meaning of the elementariness of a dependence map over functions. 

Definition 4.10 {Elementary Dependence Maps). Let p G Qnt(V) be a quantification pre- 
fix over a set V C Var of variables, D and T two sets, and 9 G DMt^d(p) a dependence 
map for p over T ^ D. Then, 9 is elementary if it admits an adjoint function. EDMt-!.d(p) 
denotes the set of all elementary dependence maps for p over T — ^ D. 



^'^BygiY— >Zwe denote the operation of flipping of a function g : X — > Y — > Z. 
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It is important to observe that, unfortunately, there are dependence maps that are not elemen- 
tary. To easily understand why this is actually the case, it is enough to count both the number 
of dependence maps DMT-i.D(p) and of adjoint functions T DMd(p), where |D| > 1, 
|T| > 1 and p is such that there is an a; £ ((p)) for which Dep(p, x) ^ 0. Indeed, it holds that 

|DMt^d(p)| = U.em |DrMD|'-'-'°-'-^" > n.^«,, |Dri-Pr-'-^" = IT ^ DMd(p)|. 
So, there are much more dependence maps, a number double exponential in |T|, than possible ad- 
joint functions, whose number is only exponential in this value. Furthermore, observe that the simple 
set Qnt3.v.(V) = {p € Qnt(V) : 3i e [0, |p|] . [[(p)<.]] = A (((p)>.)) = 0}, for V C Var, 
is the maximal class of quantification prefixes that admits only elementary dependence maps over 
T — > D, i.e., it is such that each 9 £ DMt^d(p) is elementary, for all p e Qnt^.y. (V). This is 
due to the fact that there are no functional dependences between variables, i.e., for each x e ((p)), 
it holds that Dep(p, x) = 0. 

Finally, we can introduce a new very important semantics for Sl syntactic fragments, which is 
based on the concept of elementary dependence map over strategies, and we refer to the related 
satisfiability concept as elementary satisfiability, in symbols |=e- Intuitively, such a semantics has 
the peculiarity that a strategy, used in an existential quantification in order to satisfy a formula, is 
only chosen between those that are elementary w.rt. the universal quantifications. In this way, when 
we have to decide what is its value c on a given track p, we do it only in dependence of the values 
on the same track of the strategies so far quantified, but not on their whole structure, as it is the 
case instead of the classic semantics. This means that c does not depend on the values of the other 
strategies on tracks p' that extend p, i.e., it does not depend on future choices made on p' . In addition, 
we have that c does not depend on values on parallel tracks p' that only share a prefix with p, i.e., 
it is independent on choices made on the possibly alternative futures p' . The elementary semantics 
of Sl[ng] formulas involving atomic propositions. Boolean connectives, temporal operators, and 
agent bindings is defined as for the classic one, where the modeling relation |= is substituted with 
|=E, and we omit to report it here. In the following definition, we only describe the part concerning 
the quantification prefixes. 

Definition 4.11 (Sl[ng] Elementary Semantics). Let be a Cgs, s £ St one of its states, and 
pijj an Sl[ng] formula, where ij} is agent-closed and p G Qnt(free(?/')). Then Q,0,s pip 
if there is an elementary dependence map 9 e EDMgtr(s) (p) for p over Str(s) such that 
5, 9ix), s [=E ip, for all x e Asg([[p]], s). 

It is immediate to see a strong similarity between the statement of Corollarv l4.7| of Sl strategy quan- 
tification and the previous definition. The only crucial difference resides in the choice of the kind of 
dependence map. Moreover, observe that, differently from the classic semantics, the quantifications 
in the prefix are not treated individually but as an atomic block. This is due to the necessity of having 
a strict correlation between the point-wise structure of the quantified strategies. 

Remark 4.12 (Sl Elementary Semantics). It can be interesting to know that we do not define 
an elementary semantics for the whole Sl, since we are not able, at the moment, to easily use the 
concept of elementary dependence map, when the quantifications are not necessarily grouped in pre- 
fixes, i.e., when the formula is not in prenex normal form. In fact, this may represent a challenging 
problem, whose solution is left to future works. 

Due to the new semantics of Sl[ng], we have to redefine the related concepts of model and 
satisfiability, in order to differentiate between the classic relation |= and the elementary one |=e- 
Indeed, as we show later, there are sentences that are satisfiable but not elementary satisfiable and 
vice versa. 

Definition 4.13 {Sl[ng] Elementary Satisfiability). We say that a Cgs Q is an elementary 
model of an Sl[ng] sentence cp, in symbols Q |=e f, if G, 0, sq |=e f - In general, we also say 
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that Q is Si elementary model for 93 on s G St, in symbols s [=e if Qi 0, s |=e 'P- An Sl[ng] 
sentence is elementarily satisfiable if there is an elementary model for it. 

We have to modify the concepts of implication and equivalence, as well. Indeed, also in this case 
we can have pairs of equivalent formulas that are not elementarily equivalent, and vice versa. Thus, 
we have to be careful when we use natural transformation between formulas, since it can be the case 
that they preserve the meaning only under the classic semantics. An example of this problem can 
arise when one want to put a formula in pnf. 

Definition AAA {Sl.[nc\ Elementary Implication and Equivalence). Given two Sl[ng] formu- 
las (^1 and ip2 with free((^i) = free(<y92), we say that Lpi elementarily implies ip2, in sym- 
bols ipi ^2, if, for all Cgss Q, states s G St, and free((y9i)-defined s-total assignments 
X G Asg(free((/5i), s), it holds that if G,Xi^ I=e fi then S,x, s |=e 'P2- Accordingly, we say 
that (pi is elementarily equivalent to (p2, in symbols ifi =e <^2, if both ipi =^e ^2 and ip2 =>e </'i 
hold. 

4.4. Elementariness and non-elementariness 

Finally, we show that the introduced concept of elementary satisfiability is relevant to the context 
of our logic, as its applicability represents a demarcation line between "easy" and "hard" fragments 
of Sl. Moreover, we believe that it is because of this fundamental property that several well-known 
temporal logics are so robustly decidable BVardi 19961 . 

Remark A. 15 (Sl[ng, 0-alt] Elementariness). It is interesting to observe that, for every Cgs Q 
and Sl[ng, 0-alt] sentence (p, it holds that Q (p iff Q |=e (p. This is an immediate consequence of 
the fact that all quantification prefixes p used in (p belong to Qntg.y, (V), for a given set V C Var of 
variables. Thus, as akeady mentioned, the related dependence maps on strategies 9 G DMgtr(so) (p) 
are necessarily elementary. 

By CoroUarv 14.71 of Sl strategy quantification, it is easy to see that the following coherence 
property about the elementariness of the Sl[ng] satisfiability holds. Intuitively, it asserts that every 
elementarily satisfiable sentence in pnf is satisfiable too. 

Theorem 4.16 (Sl[ng] Elementary Coherence). Let Q be a Cos, s g St one of its 
states, (p an Sl[ng] formula in pnf and x G Asg(s) an s-total assignment with free{(p) C dom(x)- 
Then, it holds that Q, s \=e f implies G,Xt^ H y^- 

Proof. The proof proceeds by induction on the structure of the formula. For the sake of suc- 
cinctness, we only show the crucial case of principal subsentences (p G psnt{ip), i.e., when (p is of 
the form ptl>, where p G Qnt(free('i/')) is a quantification prefix, and is an agent-closed formula. 

Suppose that Q, 0, s pV'- Then, by Definition 14. 11 1 of Sl[ng] elementary semantics, there is 
an elementary dependence map 9 G EDMgtr(s)(p) such that, for all assignments x 6 Asg([[p]], s), 
it holds that Q, 9{x), s \=e ^- Now, by the inductive hypothesis, there is a dependence map 9 G 
DMstr(s)(p) such that, for all assignments x G Asg([[p]], s), it holds that Q, 9{x), s \= ip. Hence, 
by Corollarv l4.7l of Sl strategy quantification, we have that Q,0,s ^ pijj. □ 

However, it is worth noting that the converse property may not hold, as we show in the next 
theorem, i.e., there are sentences in pnf that are satisfiable but not elementarily satisfiable. Note that 
the following results already holds for CHP-Sl. 

Theorem 4.17 (Tb-Sl[bg] Non-Elementariness). There exists a satisfiable Tb- 
Sl[bg, 1-ag, 2-var, 1-alt] sentence in pnf that is not elementarily satisfiable. 

Proof. Consider the Tb-Sl[bg, 1-ag, 2-var, 1-alt] sentence ip = (pi A ip2 in pnf where 

(pi = p(V'i A i/'2), with p = [[x]]((y)), = (a,x)Xp ^ (a, y)X -ip, and V'2 = (a,x)XXp o 
(Q;,y)XXp, and ip2 = [[x]](q;,x)X ((((x))(q;,x)X p) A (((x)) (a, x)X -.p)). Moreover, note that the 
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Tb-Sl[1g, 1-ag, 1-var, 0-alt] sentence Lp2 is equivalent to the Ctl formula AX ( (EX p) A (EX -ip)). 
Then, it is easy to see that the turn-based Cos QrcIc of Figure |4 on page 15| satisfies ip. Indeed, 
5i?dcj ^'(x)j So H V'l V'2> for all assignments x G Asg({x},So), where the non-elementary de- 
pendence map e e DMstr(so)(p) is such that e{x){y){so) = ^x(x)(so) and 6l(x) (y)(so ■ s,) = 
x(x)(so ■ si_i), for alH G {0, 1}. 

Now, let Q he a generic CGS. If Q ^ f, by Theorem 14.161 of Sl[ng] elementary co- 
herence, it holds that Q V- Otherwise, we have that G \= f and, in particular, Q \= 
If I, which means that Q \= p{ipi A V'2)- At this point, to prove that Q we show 
that, for all elementary dependence maps 9 E EDMstj.(so)(p), there exists an assignment 
X G Asg({x},so) such that Q,9{x),so ^e A tp2- To do this, let us fix an elementary 
dependence map 9 and an assignment x- Also, assume si = T(so,0[a n- x(x)('5o)]) and 
S2 = t(so, 0[a n- 6'(x)(y)(so)]). Now, we distinguish between two cases. 

— p G A(.si) iff p G A(s2). In this case, we can easily observe that Q,9{x),so ^ Vi and conse- 
quently, by Theorem l4.16l it holds that Q, 9{x), sq ^e "01 ^ip2- So, we are done. 

— p G A(si) iff p A(s2). If G, 9{x), So ^ ^2 then, by TheoremglSl it holds that G, 9{x), sq 

ipi A ip2- So, we are done. Otherwise, let S3 = t(si, 0[q! i-> x(x)(so • si)]) and S4 = r(s2, 0[a ^ 
^(x)(y)('So • 52)])- Then, it holds that p e A(s3) iff p G A(s4). Now, consider a new assignment 
X' G Asg({x},so) such that x'{x){so ■ S2) = x{x){so ■ S2) and p e A(s3') iff p ^ A(s4), 
where S3' = t(si, 0[a 1— >■ x'('^)('So ■ si)])- Observe that the existence of such an assignment, with 
particular reference to the second condition, is ensured by the fact that Q \= (p2- At this point, due 
to the elementariness of the dependence map 9, we have that 9{x'){y){so ■ S2) = 9{x){y){so ■ S2). 
Consequently, it holds that 54 — r(s2, 0[a (^{x'){y){so • •52)])- Thus, Q, 9{x'), sq ^ 1^2, which 
implies, by Theorem l4.16l that Q, 9{x'), sq ^e V'l A ip2- So, we are done. 

Thus, the thesis of the theorem holds. □ 

The following corollary is an immediate consequence of the previous theorem. It is interesting 
to note that, at the moment, we do not know if such a result can be extended to the simpler Gl 
fragment. 

Corollary 4.18 (Sl[bg] Non-Elementariness). There exists a satisfiable Sl[bg, 1-ag, 
2-var, 1-alt] sentence in pnf that is not elementarily satisfiable. 

Remark 4.19 {Kinds of Non-Elementariness). It is worth remarking that the kind of non- 
elementariness of the sentence ip shown in the above theorem can be called essential, i.e., 
it cannot be eliminated, due to the fact that (p is satisfiable but not elementarily satisfiable. 
However, there are different sentences, such as the conjunct (pi in (p, having both models on 
which they are elementarily satisfiable and models, like the Cos Q^dc, on which they are 
only non-elementarily satisfiable. Such a kind of non-elementariness can be called non-essential, 
since it can be eliminated by an opportune choice of the underlying model. Note that a sim- 
ilar reasoning can be done for the dual concept of elementariness, which we call essential 
if all models satisfying a given sentence elementarily satisfy it as well. 

Before continuing, we want to show the reason why we have redefined the concepts of implica- 
tion and equivalence in the context of elementary semantics. Consider the Sl[bg, 1-ag, 2-var, 1-alt] 
sentence ip>i used in Theorem l4.17l of Tb-Sl[bg] non-elementariness. It is not hard to see that it is 
equivalent to the Sl[1g, 1-ag, 1-var, 0-alt] ip' = (((x)) (a, x)?/'i O ((x))(a,x)V'2) A (((x))(a,x)V'3 ^ 
((x))(a,x)V'4), where Vi = X (p AX p), V2 = X (^p AX p), = X (pAX ^p), and ^4 = X (^pA 
X -ip). Note that p' is in turn equivalent to the Ctl* formula (E?/;i o E'ip2) A (Ei/'3 ^ Eipi)- How- 
ever, (fii and (fi' are not elementarily equivalent, since we have that Q^dc ^1 but Qfidc He 'p', 
where Qadc is the CGS of Figure |4 on page 15[ 



ACM Journal Name, Vol. V, No. N, Article A, Publication date: January YYYY. 



A:26 



Fabio Mogavero et al. 



At this point, we can proceed with the proof of the elementariness of satisfiabiUty for Sl[1g]. 
It is important to note that there is no gap, in our knowledge, between the logics that are elemen- 
tarily satisfiable and those that are not, since the fragment Sl[bg, 1-ag, 2-var, 1-alt] used in the pre- 
vious theorem cannot be further reduced, due to the fact that otherwise it collapses into Sl[1g]. 
Before starting, we have to describe some notation regarding classic two-player games on infinite 
words llPerrin and Pin 2004| , which are used here as a technical tool. Note that we introduce the 
names of scheme and match in place of the more usual strategy and play, in order to avoid confu- 
sion between the concepts related to a Cos and those related to the tool. 

A two-player arena (TPA, for short) is a tuple A = (Nc, No, E, uq), where No and No are non- 
empty non-intersecting sets of nodes for player even and odd, respectively, E = E^ U Eo, with 
i?e C No X No and i?o C No x Nc, is the edge relation between nodes, and rtg G No is a designated 
initial node. 

An even position in is a finite non-empty sequence of nodes g E Nc^ such that {g)o = uq 
and, for all i G [0, — 1[, there exists a node n G No for which {{g)i,n) G E^ and 
(n, {g)i+i) G Eo hold. In addition, an odd position in ^ is a finite non-empty sequence of nodes 
g = g' ■ n E Nc^ • No, with n G No, such that g' is an even position and {\st{g'),n) G E^- 
By PoSe and PoSo we denote, respectively, the sets of even and odd positions. 

An even (resp., odd) scheme in is a function Se : PoSo — > No (resp., Sq : PoSo — > No) that maps 
each even (resp., odd) position to an odd (resp., even) node in a way that is compatible with the edge 
relation E^ (resp.. Eg), i.e., for all g G PoSo (resp., g G PoSq), it holds that {\st{g),Ss{g)) G E^ 
(resp., (Ist(g), So(f3)) G Eq). By Schc (resp., Scho) we indicate the sets of even (resp., odd) schemes. 

A match in A is an infinite sequence of nodes w G No'^ such that {vd)q = uq and, for all i G N, 
there exists a node n G No such that {{w)i,n) G Eg, and {n, {m)i+i) G Eo- By Mtc we denote the 
set of all matches. A match map mtc : Scho x Scho Mtc is a function that, given two schemes 
Se G Scho and Sq G Scho, returns the unique match -cu ~ mtc(se, Sq) such that, for all i G N, it holds 
that (ra7)i+i = So{{w)<i ■ Se{{-cu)<i)). 

A two-player game (TPG, for short) is a tuple H = {A, Win), where ^ is a TPA and Win C Mtc. 
On one hand, we say that player even wins H if there exists an even scheme Se G Scho such that, for 
all odd schemes Sq G Scho, it holds that mtc(se, So) G Win. On the other hand, we say that player 
odd wins H if there exists an odd scheme Sq G Scho such that, for all even schemes Sg G Scho, it 
holds that mtc(se, Sq) ^ Win. 

In the following, for a given binding prefix b G Bnd(V) with V C Var, we denote by 4 : Ag — > 
V the function associating with each agent the related variable in b, i.e., for all a G Ag, there is 
i G [0, |b|[ such that (b); = (a, Cb(a))- 

As first step towards the proof of the elementariness of Sl[1g], we have to give a construction of 
a two-player game, based on an a priori chosen Cgs, in which the players are explicitly viewed one 
as a dependence map and the other as a valuation, both over actions. This construction results to be 
a deep technical evolution of the proof method used for the dualization of alternating automata on 
infinite objects [ Mullerand Schupp 1987) . 



Definition 4.20 (Dependence-vs-Valuation Game). Let Q he n Cos, s G St one of its states, 
P C Pth(s) a set of paths, p G Qnt(V) a quantification prefix over a set V C Var of variables, and 
b G Bnd(V) a binding. Then, the dependence-vs-valuation game for 5 in s over P w.rt. p and b is 
the Tpg s, P, p, b) = {A{g, s, p, b), P), where the Tpa A{g, s, p, b) = (St, St x DMac(p), 
E, s) has the edge relations defined as follows: 

-Ee = {{t, (t, e)):teStA9e DMao(p)}; 

-Eo^{{{t, 9), Tit, (?(v) o CO) : t G St A G DMac(p) A v G ValAc([[p]])}B. 



^■^By g2 o gi : X — > Z we denote the operation of composition of two functions gi : X — > Yi and g2 : Y2 — > Z with 
Yi C Y2. 
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In the next lemma we state a fundamental relationship between dependence- 
vs-valuation games and their duals. Basically, we prove that if a player wins 
the game then the opposite player can win the dual game, and vice versa. 
This represents one of the two crucial steps in our elementariness proof. 

Lemma 4.21 (Dependence-vs-Valuation Duality). Let Q be a Cos, s e St one of its 
states, P C Pth(s) a set of paths, p £ Qnt(V) a quantification prefix over a set V C Var of 
variables, and b G Bnd(V) a binding. Then, player even wins the TPG 'H{Q, s, P, p, b) iff player 
odd wins the dual TPG ^{{G, s, Pth(s) \ P, p, b). 

Now, we are going to give the definition of the important concept of encasement. In- 
formally, an encasement is a particular subset of paths in a given CGS that "works 
to encase" an elementary dependence map on strategies, in the sense that it con- 
tains all plays obtainable by complete assignments derived from the evaluation of the 
above mentioned dependence map. In our context, this concept is used to summarize all 
relevant information needed to verify the elementary satisfiability of a sentence. 

Definition 4.22 {Encasement). Let C/ be a Cos, s G St one of its states, P C Pth(s) a set 
of paths, p G Qnt(V) a quantification prefix over a set V C Var of variables, and b G Bnd(V) 
a binding. Then, P is an encasement w.rt. p and b if there exists an elementary dependence map 
GEDMgtr(s) (p) such that, for all assignments x G Asg([[p]], s), it holds that play(6'(x) o Cb, s) gP- 

In the next lemma, we give the second of the two crucial steps in our elementariness proof. In 
particular, we are able to show a one-to-one relationship between the wining in the dependence- 
vs-valuation game of player even and the verification of the encasement property of the associated 
winning set. Moreover, in the case that the latter is a Borelian set, by using Martin's Determinacy 
Theorem [Marti n 1975L we obtain a complete characterization of the winning concept by means of 
that of encasements. 

Lemma 4.23 (Encasement Characterization). Let Qbea Cos, s g St one of its states, 
P C Pth(s) a set of paths, p G Qnt(V) a quantification prefix over a set V C Var of variables, 
and b G Bnd(V) a binding. Then, the following hold: 

(i) player even wins 'H{Q^ s, P, p, b) iffV is an encasement w.r.t. p and b; 

(ii) if player odd wins ?^(^/, s, P, p, b) then P is not an encasement w.r.t. p and b; 

(Hi) if P is a Borelian set and it is not an encasement w.r.t. p and b then player odd wins 
H(e,s,P,p,b). 

Finally, we have all technical tools useful to prove the elementariness of the satisfiability for 
Sl[1g]. Intuitively, we describe a bidirectional reduction of the problem of interest to the verification 
of the winning in the dependence-vs-valuation game. The idea behind this construction resides 
in the strong similarity between the statement of Corollarv 14.71 of Sl strategy quantification and 
the definition of the winning condition in a two-player game. Indeed, on one hand, we say that a 
sentence is satisfiable iff "there exists a dependence map such that, for all all assignments, it holds 
that On the other hand, we say that player even wins a game iff "there exists an even scheme 
such that, for all odd schemes, it holds that In particular, for the Sl[1g] fragment, we can resolve 
the gap between these two formulations, by using the concept of elementary quantification. 

Theorem 4.24 (Sl[1g] Elementariness). Let Q bea Cos, ip an Sh[\G\ fonnula, s g St a 
state, andx G Asg(s) an s-total assignment with free{ip) C dom(x). Then, it holds thatQ, Xt s \^ (p 
iffQ,X,s He P- 

Proof. The proof proceeds by induction on the structure of the formula. For the sake of suc- 
cinctness, we only show the most important inductive case of principal subsentences (f) G psnt((^), 
i.e., when (f) is of the form pb?/', where p G Qnt(V) and b G Bnd(V) are, respectively, a quantifica- 
tion and binding prefix over a set V C Var of variables, and t/j is a variable-closed formula. 
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[If]. The proof of this direction is practically the same of the one used in Theorem l4.16l of Sl[ng] 
elementary coherence. So, we omit to report it here. 

[Only if]. Assume that Q,0,s \= p\)ip. Then, it is easy to see that, for all elementary dependence 
maps 6 G EDMgtr(s) (p), there is an assignment x £ Asg([[p]] , s) such that Q, 9{x) °Cb,s \= ip. In- 
deed, suppose by contradiction that there exists an elementary dependence map 6 G EDMgti (s)(p) 
such that, for all assignments x G Asg([[p]], s), it holds that Q, 0(x)°Cb, s ^ ip, i.e., Q, 0(x)°Cb: s ^ 
-^ijj, and so Q, 0{x), s \= b^ip- Then, by Corollary 14.71 of Sl strategy quantification, we have that 
G,0,s \= pb^i/j, i.e., G,0,s \= -^p\>ip, and so Q,0,s ^ p\>ip, which is impossible. 

Now, let P = {play(x, s) £ Pth(s) : x G Asg(Ag, s) A Q,x,s ^ Then, it is evident that, 
for all elementary dependence maps 6 G EDMsti.(s) (p), there is an assignment x G Asg([[p]], s) 
such that play(0(x) o Cb, s) ^ P- 

At this point, by Definition |4.22| of encasement, it is clear that P is not an encasement w.r.t. p and b. 
Moreover, since ip describes a regular language, the derived set P is Borelian IPerrin and Pin 20041 . 
Consequently, by Item|m]of Lemma l4.23l of encasement characterization, we have that player odd 
wins the TPG 'H{G,s,P,p,\>). Thus, by Lemma |4.21| of dependence-vs-valuation duality, player 
even wins the dual TPG H{Q, s, Pth(s) \ P, p, b). Hence, by Item|i]of Lemma 14.231 we have that 
Pth(s) \ P is an encasement w.r.t. p and b. Finally, again by Definition l4.22l there exists an elemen- 
tary dependence map 9 G EDMgtr(s)(p) such that, for all assignments x G Asg([[p]], s), it holds 
that play(6'(x) o 4, s) e Pth(s) \ P. 

Now, it is immediate to observe that Pth(s) \ P = {play(x, s) G Pth(s) : x G Asg(Ag, s) A 

X: h= V"}- So, by the inductive hypothesis, we have that Pth(s) \ P = {play(x, s) G Pth(s) 
: X G Asg(Ag, s) A Q,XtS \=e V"}' from which we derive that there exists an elementary de- 
pendence map 6 G EDMgtr(s) (p) such that, for all assignments x G Asg([[p]],s), it holds that 

^ix) ° Cb,s ip- Consequently, by Definition 14.1 ll of Sl[ng] elementary semantics, we have 
that^, 0,s |=E pbV'- □ 

As an immediate consequence of the previous theorem, we derive the following fundamental 
corollary. 

Corollary 4.25 (Sl[1g] ElementARINESS). Let Q be a Cos and (p an Sl[1g] sentence. 
Then, Q \= ip iff Q V- 

It is worth to observe that the elementariness property for Sl[1g] is a crucial difference w.rt. 
Sl[bg], which allows us to obtain an elementary decision procedure for the related model-checking 
problem, as described in the last part of the next section. 

5. MODEL-CHECKING PROCEDURES 

In this section, we study the model-checking problem for Sl and show that, in general, it is non- 
elementarily decidable, while, in the particular case of Sl[1g] sentences, it is just 2ExpTlME- 
COMPLETE, as for Atl*. For the algorithmic procedures, we follow an automata-theoretic ap- 
proach [Kupferman et al. 2000[ , reducing the decision problem for the logics to the emptiness prob- 
lem of an automaton. In particular, we use a bottom-up technique through which we recursively 
label each state of the COS of interest by all principal subsentences of the specification that are 
satisfied on it, starting from the innermost subsentences and terminating with the sentence under 
exam. In this way, at a given step of the recursion, since the satisfaction of all subsentences of the 
given principal sentence has akeady been determined, we can assume that the matrix of the latter is 
only composed by Boolean combinations and nesting of goals whose temporal part is simply Ltl. 
The procedure we propose here extends that used for Atl* in OAlur et al. 20021 by means of a richer 
structure of the automata involved in. 

The rest of this section is organized as follows. In Subsection 15.11 we recall the definition of 
alternating parity tree automata. Then, in Subsection 15.21 we build an automaton accepting a tree 
encoding of a CGS iff this satisfies the formula of interest, which is used to prove the main result 
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about Sl and Sl[ng] model checking. Finally, in Subsection 15.31 we refine the previous result to 
obtain an elementary decision procedure for Sl[1g]. 

5.1. Alternating tree automata 

Nondeterministic tree automata are a generalization to infinite trees of the classical nondetennin- 
istic word automata on infinite words (see [Thomas 1990], for an introduction). Alternating tree 



automata are a further generalization of nondeterministic tree automata [Muller and Schupp 1987 1. 



Intuitively, on visiting a node of the input tree, while the latter sends exactly one copy of itself to 
each of the successors of the node, the former can send several own copies to the same successor. 
Here we use, in particular, alternating parity tree automata, which are alternating tree automata 
along with a parity acceptance condition (see MGradel et al. 2002ll . for a survey). 
We now give the formal definition of alternating tree automata. 

Definition 5.1 {Alternating Tree Automata). An alternating tree automaton (Ata, for short) is 
a tuple A = (S, A, Q, S, qq, H), where E, A, and Q are, respectively, non-empty finite sets of input 
symbols, directions, and states, go S Q is an initial state, K is an acceptance condition to be defined 
later, and S : Q x S B+(A x Q) is an alternating transition function that maps each pair of 
states and input symbols to a positive Boolean combination on the set of propositions of the form 
{d, g) e A X Q, a.k.a. moves. 

On one side, a nondeterministic tree automaton (Nta, for short) is a special case of Ata in 
which each conjunction in the transition function S has exactly one move (d, q) associated with 
each direction d. This means that, for all states q E Q and symbols cr £ S, we have that S{q, a) is 
equivalent to a Boolean formula of the form \/ ■ A(ieA('^' Qi,d)- On the other side, a universal tree 
automaton (Uta, for short) is a special case of Ata in which all the Boolean combinations that 
appear in (5 are conjunctions of moves. Thus, we have that (5((7, (t) = /\^{di, qi), for all states q G Q 
and symbols cr e E. 

The semantics of the Atas is given through the following concept of run. 

Definition 5.2 (AlARun). A run of an Ata A ~ (S, A, Q, 5, go, on a E-labeled A-ti-ee 
T = (T,v) is a (A X Q)-tree R such that, for all nodes x G R, where x — YVi^ii'^i' 1i) '^^'^ 
y ^ n"=i '^i '^i'^h n £ [0, w[ , it holds that (i) y e T and there is a set of moves S C A x Q 
with S 1= (5((j„, v(y)) such that x ■ (d, q) £ R, for all {d, q) G S. 

In the following, we consider Atas along with the parity acceptance condition (Apt, for short) 
K = (Fi, . . . ,Ffe) G (2Q)+ with Fi C . . . C F^ = Q (see |Kupfermanet al. 2000| , for more). The 



number k of sets in the tuple H is called the index of the automaton. We also consider Atas with the 
co-Buchi acceptance condition (ACT, for short) that is the special parity condition with index 2. 

Let R be a run of an Ata ^ on a tree T and w one of its branches. Then, by inf (w) = {g G Q 
: |{j G N : 3d G A.(w)i — (d, q)}\ = u} we denote the set of states that occur infinitely often as 
the second component of the letters along the branch w. Moreover, we say that w satisfies the parity 
acceptance condition K = (Fi, . . . , Ffe) if the least index i G [1, k] for which \nf{w) DFi 7^ is even. 

At this point, we can define the concept of language accepted by an Ata. 

Definition 5.3 (Ata Acceptance). An Ata A = (S, A, Q, 5, qo, H) accepts a S-labeled A-tree 
T iff is there exists a run R of ^ on T such that all its infinite branches satisfy the acceptance 
condition K. 

By L(^) we denote the language accepted by the Ata A, i.e., the set of trees T accepted by A. 
Moreover, A is said to be empty if L(^) = 0. The emptiness problem for A is to decide whether 

L{A) = 0. 

We finally show a simple but useful result about the Apt direction projection. To do this, we first 
need to introduce an extra notation. Let / G B(P) be a Boolean formula on a set of propositions 
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P. Then, by f[p/q\p G P'] we denote the formula in which all occurrences of the propositions 
p £ P' C P in / are replaced by the proposition q belonging to a possibly different set. 

Theorem 5.4 (Apt Direction Projection). Let A = {T, x A, A, Q, 6, qq, H) be an Apt 
over a set of m directions with n states and index k. Moreover, let do G A be a distinguished 
direction. Then, there exists an Npt TV'^" = (S, A, Q', S' , q'„, W) with m ■ 2°('= " i°s") states and 
index 0{k ■ n ■ logn) such that, for all Yi-labeled A-tree T = (T, v), it holds that T G L(7V'''') iff 
T G L(^), where V is the (E x A)-labeled A-tree (T, v') such that M'{t) = {\/{t), \st{do ■ t)),for 
all t G T. 

Proof. As first step, we use the well-known nondeterminization procedure for 
Apts |Muller and Schupp 1995| in order to transform the Apt A into an equivalent NPT 
A/" = (S X A, A,Q",5",q()',H") with 2°('^ " i°g") states and index fc' = D(fc • n • logn). Then, 
we transform the latter into the new NPT TV"''" = (S, A, Q', 5' , q^, H') with m ■ 2°('= " i°g") states 
and same index fc', where Q' ^ Q" x A, = (9o,do), = (Fi x A, . . . , Ffe- x A) with 
K" ^ (Fi,...,FfeO,and<5'((g,d),a) ^ 6'\q,{o,d))\{d' ,q')/{d' ,{q' ,d'md' ,q') G A x Q"], for 
all (g, d) G Q' and ct G S. Now, it easy to see that J\f ° satisfies the declared statement. □ 

5.2. Sl Model Checking 

A first step towards our construction of an algorithmic procedure for the solution of the Sl model- 
checking problem is to define, for each possible formula (f, an alternating parity tree automaton A^ 
that recognizes a tree encoding T of a Cos Q, containing the information on an assignment x on the 
free variables/agents of ip, iff C/ is a model of under x- The high-level idea at the base of this con- 
struction is an evolution and merging of those behind the translations of QPtl and Ltl, respectively, 
into nondeterministic ISi stla et al. 19871 and alternating BMuUer et al . 19881 Biichi automata. 

To proceed with the formal description of the model-checking procedure, we have to introduce a 
concept of encoding for the assignments of a Cos. 

Definition 5 .5 [Assignment-State Encoding) . Let be a CGS, s G Stg one of its states, and 
X G Asgg;(V, s) an assignment defined on the set V C Var U Ag. Then, a (ValAcg(V) x Stg)- 
labeled Stg-tree T = (T, u), where T = {p>i : p G Trkg (s)}, is an assignment-state encoding for 
X if it holds that u(t) ^ (x(s ■ t), lst(s • t)), for all t G T. 

Observe that there is a unique assignment-state encoding for each given assignment. 

In the next lemma, we prove the existence of an Apt for each Cgs and Sl formula that is able to 
recognize all the assignment-state encodings of an a priori given assignment, made the assumption 
that the formula is satisfied on the Cos under this assignment. 

Lemma 5.6 (Sl Formula Automaton). Let Qbea Cos and ip an Si. formula. Then, there 
exists an APT A^ — (ValAcg (free((^)) x Stg, Stg, Qi^, 5^, q[)^p, )^^p) such that, for all states s G Stg 
and assignments x G Asgg(free((^), s), it holds that C/, x, s ^ 93 iffT G L(^^), where X is the 
assignment-state encoding for x- 

Proof. The construction of the Apt Aifp is done recursively on the structure of the formula 
Lp, which w.l.o.g. is supposed to be in enf, by using a variation of the transformation, via alternat- 
ing tree automata, of the SIS and SfcS logics into nondeterministic Biichi word and tree automata 
recognizing all models of the formula of interest IBiichi 1962MRabin 19691 . 

The detailed construction of .A^, by a case analysis on follows. 

— If G AP, the automaton has to verify if the atomic proposition is locally satisfied or not. To 
do this, we set AP^ = (ValAc5(0) x Stg, Stg, {(^}, 5,^, ({93})), where (5^((p, (v, s)) = t, if 

G Ag(s), and 5i^(t/3, (v, s)) = f, otherwise. Intuitively, AP^p only verifies that the state s in the 
labeling of the root of the assignment-state encoding of the empty assignment satisfies (p. 



ACM Journal Name, Vol. V, No. N, Ankle A, Publication date: January YYYY. 



Reasoning About Strategies 



A:31 



— The boolean case ip = ^ip' is treated in the classical way, by simply dualizing the automaton 
A%, = (ValAcs(free((^')) x Stg, Stg, Q^^, V' 90^'^ ^v'') |Muller and Schupp 1987 1. 

— The boolean cases ip = piOp pi, with Op G {A, V}, are treated in a way that is similar to 
the classical one, by simply merging the two automata J^^^ — (ValAcg (free(i^i)) x Stg. Stg, 

Qvn'^vi>5'0tpi,H^i) and = (ValAcg (free(^2)) x Stg, Stg, Q,^^, 5^^, go¥>2> ^¥'2) into the 
automaton = (ValAcg (free(((5)) x Stg, Stg, Q<p, 5^, qo^, H^), where the following hold: 

— Q<P — {lOif} U Q<^i U Q<^2, with gov ^ Qvi ^ Qv2'^ 

— (5^(90.^, (v,s)) = Svi{qO'^i,{^\ftee(vi),s)) Op(5^2(go¥>2,(vrfree(v2)'S))' foi" (v, S 

ValAcg(free(i^)) x Stg; 

— (v,s)) = (vffree(<pi),s)), if g e Q^i, and (v,s)) = '5.p2('7; (vrfree(<p2)> 
otherwise, for all q e U Q<^2 and (v, s) e ValAcg (free((/?)) x Stg; 

— = (Fi^, ... ,Ffc^), where f/j = (Fi^^ , . . . , Ffc^^ J and H^^^ = (Fi^^ , . . . , F^^^^J, 
fi7j /i = min{fci,fc2} and k = max{fci,fc2}, (Hi) Fi^p = Fiipi U Fi^p^, for i e (iv) 
Fi^ ^ Fi<p^., for I e [h + l,k - 1] with /cj = fc, and (v) Fk^ = Q^. 

— The case = X 1^9' is solved by running the automaton = (ValAcg (free(iy9')) x Stg, Stg, Q^^/, 
Sipi, qoip', Hjp/) on the successor node of the root of the assignment-state encoding in the direction 
individuated by the assignment itself. To do this, we use the automaton A^ = (ValAcg (free((/3)) x 
Stg, Stg, Q;^, S^p^qoip, "i^ip), where the following hold: 

— Q<P ~ {lOip} U Qy', with goip ^ Qv'' 

~S^{qo<pA'^^s)) - (T'e;(s>VfAg),gov')'foi"all (v,s) G ValAcg(free(^)) X Stg; 

— (5y(g, (v, s)) = ^^/(q, (vffree(<^'), s)), for all q e Q.^^ and (v, s) £ VaUcg (free(93)) x Stg; 

— ^ (Fi^-,...,Ffe^, U{gov}), where V ^ (Fi^' , • ■ • , F^^O- 

— To handle the case p = pi\J p2, we use the automaton A^ = (ValAcg (free((^)) x 
Stg, Stg, Qip, (5^, qoip, ^ip) that verifies the truth of the until operator using its one-step 
unfolding equivalence piU p2 = </?2 V </?i A XpiUpi, by appropriately running the 
two automata A^^ = (ValAcg (free((^i)) x Stg, Stg, Q^^ , (J^^ , go^i > ^vi) ™d A^^ = 
(ValAcg (free (1/72)) x Stg, Stg, Q^.^, 5^2, qoip2i ^^2) for the inner formulas pi and p2. 
The definitions of A^ components follows: 

— Qip ~ {qoip} u Qipi u Q<^2' with gov ^ Qvi u Qv2; 

s)) V(5^,(govi,(v s)) A (rg(s,VfAg),gov)' for 

all (v, s) G ValAcg(free((^)) x Stg; 

— (5^(g, (V,s)) = (5vi(9' (Vrfree(vi)''S))' if 9 ^ Q^i, and (5<p(g, (V,s)) = (^^2(9! (Vrfree(v2)' 5))' 

otherwise, for all g G Qi^^ U ™d (v, s) G ValAcg (free((/7)) x Stg; 

— N<p = (Fi^, . . . ,Ffe^), where (i) H^^ = (Fi^p^, . . .^Fki^^) and H^2 - (F1V2: • • -^Fk^^^), (ii) 
h = min{fci, A;2} and k = max{A;i, fc2}, (Hi) Fj^ = {^o^} U F^^^^ U Fi^2' for i & [1, h], (iv) 
Fjv - {90^} U Fi^^., for i G [/i + 1, fc - 1] with % = k, and fvj Ffe^ = Q^. 

It is important to observe that the initial state go^ is included in all sets of the parity acceptance 
condition, in particular in Fi^, in order to avoid its regeneration for an infinite number of times. 

— To handle the case p — piRpi, we use the automaton A^ = (ValAcg (free((^)) x 
Stg, Stg, Qip, (5^, goip, K;p) that verifies the truth of the release operator using its one- 
step unfolding equivalence piRpi = P2 A {fi V X(/3iR(/32), by appropriately run- 
ning the two automata A^^ = (VaUcg (free((^i)) x Stg, Stg, Q^^, (5^^, go^i, ^^i) 
•^V2 = (ValAcg(free((/?2)) x Stg, Stg, Q^2i ^v2j 90^2: ^^2) for the inner formulas pi and p2. 
The definitions of A^ components follows: 

— Qtp = {90^} U Qvi U Qv2' with goip ^ Qtpi U Qy,^; 
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— S^{qO<p, (V,s)) = ^.p2(90v2> (vrfree(ip2)''5))A((5¥'i(qOvi; (vrfree(<pi),s))V(T(5(s,VfAg),go<p)),for 

all (v, s) G VaUcg (free(93)) x Stg; 

— 5^{q,{v,s)) = (vffree(^i),s)), if g e Q^i, and S^{q,{\/,s)) = S^^{q,{\/^f,^^(^^^),s)), 
otherwise, for all q S Q<^i U and (v, s) G ValAcg (free((^)) x Stg; 

— ^ (Fi^,...,Ffc<^), where fij = (Fi^^ , . . . , Ffc,^ J and = (Fi^^ , . . . , F^^^J, f/Zj 
= min{fci, ^2} and k = niax{fci, fe}, f/nj Fi^ = Fi^^ U Fi^^, (iv) Fi^ = {qoip} U Fi<pj U 

Fiy 2 ' for ie[2,h],( iv) Fi^ = {qo^}^ F^^^. , for i G [/i + 1 , fc - 1] with fc^ = fc, and f vj F^^ = . 
It is important to observe that, differently from the case of the until operator, the initial state qo^ 
is included in all sets of the parity acceptance condition but Fi^, in order to allow its regeneration 
for an infinite number of time. 

— The case Lp ~ (a, x)ip' is solved by simply transforming the transition function of the automaton 

^ (ValAcg (free((^')) x Ste,Ste,Q ip' , Sip' , 

qo<p',^v')' by setting the value of the valuations 
in input w.r.t. the agent a to the value of the same valuation w.rt. the variable x. The definitions 
of the transition function for = (ValAcg (free((p)) x Stg, Stg, Q^/, (5^, qoip', follows: 
5^{q,{\/,s)) = dp>{q,{\/',s)), where v' = v[a 'j{x)]ifree(<p')^ if a e free{ip'), and v' = v, 
otherwise, for all q G Q^i and (v, s) G ValAcg (free((y5)) x Stg. 

— To handle the case (p = {{x))lp', assuming that x G free((y5'), we use the operation of existential 
projection for nondeterministic tree automata. To do this, we have first to nondeterminize the Apt 
A^,, by applying the classic transformation [MuUer and Schupp 1995| . In this way, we obtain an 
equivalent Npt A/'l', — (ValAcg (free (1^9')) x Stg, Stg, Q^/, (5,^', qo^^', ^ip')- Now, we make the pro- 
jection, by defining the new NPT = (ValAcg (free(iy9)) x Stg, Stg, Qp' ,Sip,qop' , 'i^^') where 
S^{q, (v, s)) ^ VceAcg ^v'i^l' i'^i^ '"^ c],s)), for all q G Qp' and (v, s) G VaUcg (free((^)) x Stg. 

At this point, it only remains to prove that, for all states s G Stg and assignments x £ 
Asgg(free(i^), s), it holds that ^, x, s ^ <<9 iff T G L{A^), where T is the assignment-state en- 
coding for X- The proof can be developed by a simple induction on the structure of the formula ip 
and is left to the reader as a simple exercise. □ 

We now have the tools to describe the recursive model-checking procedure on nested subsen- 
tences for Sl and its fragments under the general semantics. 

To proceed, we have first to prove the following theorem that represents the core of our automata- 
theoretic approach. 

Theorem 5.7 (Sl Sentence Automaton). Let Q bea Cos, s e Stg one of its states, and 
(p an Sl sentence. Then, there exists an NPT M^''^ such that Q, 0,s \^ cp iffL{J\f^''') ^ 0. 

Proof. To construct the Npt J\f^'^ we apply Theorem |5^ of Apt direction projection with 
distinguished direction s to the Apt A^ derived by Lemma ISTSl of Sl formula automaton. In this 
way, we can ensure that the state labeling of nodes of the assignment-state encoding is coherent with 
the node itself. Observe that, since is a sentence, we have that free((p) = 0, and so, the unique 
assignment-state encoding of interest is that related to the empty assignment 0. 

[Only if]. Suppose that Q,0,s \= (p. Then, by Lemma 15761 we have that T G L{A^), where T is 
the elementary dependence-state encoding for 0. Hence, by Theorem |5.4| it holds that L{JV^'^) ^ 
0. 

[If]. Suppose that L{M^'^) ^ 0. Then, by Theorem|54l there exists an ({0} x Stg)-labeled Stg- 
tree T such that T G L{A^). Now, it is immediate to see that T is the assignment-state encoding 
for 0. Hence, by Lemma |576l we have that Q,0,s \^ (p. □ 
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Before continuing, we define the length \ng{(p) of an Sl formula (p as the number |sub(v3)| of its 
subformulas. We also introduce a generalization of the Knuth's double arrow notation in order to 
represents a tower of exponentials: a = 6 and a (c + 1) = a"^^'''^, for all a,b,c ^ N. 

At this point, we prove the main theorem about the non-elementary complexity of Sl model- 
checking problem. 

Theorem 5.8 (Sl Model Checking). The model-checking problem for Sl is PTime- 
COMPLETE w.Kt. the size of the model and NonElementaryTime w.r.t. the size of the specifi- 
cation. 

Proof. By Theorem 15. 71 of Sl sentence automaton, to verify that Q,0,s \= <y9, we simply 
calculate the emptiness of the NPT M^'" having |Stg| • (2 ftm m) states and index 2 ftm m, 
where m = 0(lng(iy9) ■ log Ing(iy9)). It is well-known that the emptiness problem for such a kind 
of automaton with n states and index h is solvable in time Q{n^) [Kupferman and Vardi 1998 1 



Thus, we get that the time complexity of checking whether Q,0,s ]= (p is |Stc;|^ ' ' Hence, 
the membership of the model-checking problem for Sl in PTiME w.rt. the size of the model and 
NonElementaryTime w.r.t. the size of the specification directly follows. Finally, by getting the 
relative lower bound on the model from the same problem for Atl* liAlur et al. 2002J , the thesis is 
proved. □ 

Finally, we show a refinement of the previous result, when we consider sentences of the Sl[ng] 
fragment. 

Theorem 5.9 (Sl[ng] Model Checking). The model-checking problem for Sl[ng] is 
PTiME-COMPLETE w.rt. the size of the model and (fc + l)-ExpTlME w.rt. the maximum alternation 
k of the specification. 

Proof. By Theorem |5.7| of Sl sentence automaton, to verify that Q,0,s \= pi/;, where pip is an 
Sl[ng] principal sentence without proper subsentences, we can simply calculate the emptiness of 
the Npt having |Stg | • (2 ftm k) states and index 2 ttm k, where m = 0(lng(V') • log lng(V-')) 
and k = a\t{ptp). Thus, we get that the time complexity of checking whether Q,0,s |= pt/j is 
jStgp''^^'"'^'. At this point, since we have to do this verification for each possible state s G Stg 
and principal subsentence pip E psnt{Lp) of the whole Sl[ng] specification Lp, we derive that 
the bottom-up model-checking procedure requires time |Stg;p^^'"i!(»=)'', where k — max{alt(p-0) 
: pip G psnt(i^)}. Hence, the membership of the model-checking problem for Sl in PTiME w.r.t. 
the size of the model and (fc + l)-ExpTlME w.r.t. the maximum alternation k of the specifica- 
tion directly follows. Finally, by getting the relative lower bound on the model from the same 
problem for Atl* IIAlur et al. 20021 . the thesis is proved. □ 

5.3. Sl[1g] Model Checking 

We now show how the concept of elementariness of dependence maps over strategies can be used to 
enormously reduce the complexity of the model-checking procedure for the Sl[1g] fragment. The 
idea behind our approach is to avoid the use of projections used to handle the strategy quantifications, 
by reducing them to action quantifications, which can be managed locally on each state of the model 
without a tower of exponential blow-ups. 

To start with the description of the ad-hoc procedure for Sl[1g], we first 
prove the existence of a UCT for each Cos and Sl[1g] goal \)ip that rec- 
ognizes all the assignment-state encodings of an a priori given assignment, 
made the assumption that the goal is satisfied on the Cgs under this assignment. 

Lemma 5.10 (Sl[1g] Goal Automaton). Let Q be a Cos and \>ip an Sl[1g] goal without 
principal subsentences. Then, there exists an UCT = (ValAcg (free(b?/')) x Stg, Stg, Qi,^, ^bi/u 
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9b?/;i '^bip) such that, for all states s G Stg and assignments x S Asgg(free(b?/'), s), it holds that 
G,Xt s H {IfT £ ^i^b^)' where T is the assignment-state encoding for x- 

Proof. A first step in the construction of the UCT U^^ is to consider the Ucw = (2^, Q^, 
^it, Qoi/'i ^ia) obtained by dualizing the Nbw resulting from the application of the classic Vardi- 
Wolper construction to the Ltl formula -^ip | Vardi and Wolper 1986|. Observe that L(W^,) = L(V')^ 
i.e., recognizes all infinite words on the alphabet 2^ that satisfy the Ltl formula ^p. Then, 
define the components ofU^_^ = (ValAcg (free(bV^)) x Stg, Stg;, Qi,^, 4^/., '/obV: "^h) follows: 



{qob'ip} U with gobv ^ Qi>y 

— 4v'(<7obv>> = AgeQo^ 4^(9: (v,s)), for all (v, s) e ValAcg (free(b-0)) x Stg; 

— (v, s)) = Ag's5^(g,Ag(s))('^e(«'V o Cb),?')' for all ^ G and (v, s) G VaUcs (free(bV')) x 
Stg; 

— = H^. 

Intuitively, the UCT U^_^ simply runs the UCW on the branch of the encoding individuated 



by the assignment in input. Thus, it is easy to see that, for all states s G Stg and assignments 
X G Asgg(free(bV'), s), it holds that G,Xt^ N ^ -'^(^b^)' where T is the assignment-state 

encoding for x- □ 

Now, to describe our modified technique, we introduce a new concept of encoding regarding the 
elementary dependence maps over strategies. 

Definition 5.11 (Elementary Dependence-State Encoding). Let Q he a Cgs, s G Stg one of its 
states, and 6 G EDMgtig (s)(p) an elementary dependence map over strategies for a quantification 
prefix p G Qnt(V) over the set V C Var. Then, a (DMacs(p) x Stg)-labeled Stg-tree T = (T, 
u), where T = {p>i '■ P £ Trkg(s)}, is an elementary dependence-state encoding for 9 if it holds 
that u{t) = (e{s ■ t), lst(s • t)), foraU t G T. 

Observe that there exists a unique elementary dependence-state encoding for each elementary de- 
pendence map over strategies. 

In the next lemma, we show how to handle locally the strategy quantifications on each state 
of the model, by simply using a quantification over actions, which is modeled by the choice of an 
action dependence map. Intuitively, we guess in the labeling what is the right part of the dependence 
map over strategies for each node of the tree and then verify that, for all assignments of universal 
variables, the corresponding complete assignment satisfies the inner formula. 

Lemma 5.12 (Sl[1g] Sentence Automaton). Let Q be a Cos and pbip an Sl[1g] princi- 
pal sentence without principal subsentences. Then, there exists a XJCTlA^^^^ = (DMAcg(p) x Stg, 
Stg, Qpbi/>: ^pbi/'j %p\>xln ^pb^/>) such that, for all states s G Stg and elementary dependence maps 
over strategies 6 G EDMgtig (g) (p), it holds that G,0{x)t s \=e \>ip, for all x G Asgg([[p]], s), iff 
T G L(t/^|^^), where T is the elementary dependence-state encoding for 9. 

Proof. By Lemma l5?T0l of Sl[1g] goal automaton, there is an UCT U^^ = (ValAcg (free(bV')) x 
Stg, Stg, Qb^, gob?/;, ^bi/>) such that, for all states s G Stg and assignments x £ 
Asgg(free(bV'), s), it holds that Q,XtS ^ iff T G L{U^_^), where T is the assignment-state 
encoding for x- 

Now, transform into the new UCT U^^^^, = (DMAcg(p) x Stg, Stg, Q^t^, 5 
Kpi,^), with Qpb^ = Qb^, gopbv - <?obV" ™d ^pbv - ^b^. which is used to handle the quan- 
tification prefix p atomically, where the transition function is defined as follows: Sp]j^{q, (9, s)) = 
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AveVaiAcg([[p]]) '^bV'(9' (^(v)' «))' foi'^ll 9 ^ Qpb'A ^ DMAcg(p) X Stg. Intuitively, W^^^ 

reads an action dependence map 9 on each node of the input tree T labeled with a state s of Q and 
simulates the execution of the transition function 6\f^,{q, (v, s)) of W^^, for each possible valuation 

V = 9{y') on free(bV') obtained from ^? by a universal valuation v' G ValAcg ([[p]])- It is important 
to observe that we cannot move the component set DMAcg (p) from the input alphabet to the states 
of by making a related guessing of the dependence map 6 in the transition function, since we 
have to ensure that all states in a given node of the tree T, i.e., in each track of the original model 
Q, make the same choice for 9. 

Finally, it remains to prove that, for all states s G Stg and elementary dependence map over 
strategies 9 e EDMstre(s)(p), it holds that 9{x), s He for all x e Asgg([[p]], s), iff T £ 
L{U^^^^), where T is the elementary dependence-state encoding for 9. 

[Only if]. Suppose that Q, 9{x), s |=e t''0, for all x G Asgg;([[p]], s). Since ip does not contain 
principal subsentences, we have that Q, 9{x), s |= b^. So, due to the property of hl^^, it follows 
that there exists an assignment-state encoding 7^ G L{U^^), which implies the existence of an 
(Stg xQ|,,0)-tree R^^, that is an accepting run for onTx- At this point, let R = UxeAsgg([[p]] s) 
be the union of all runs. Then, due to the particular definition of the transition function of U^, , , it 
is not hard to see that R is an accepting run for Z^^^^, on T. Hence, T G ^{'^p\,^)- 

[If]. Suppose thatT G L(Z//^^^). Then, there exists an (Stg xQpt^)-tree Rthatis an accepting run 
for Wpi,^ on T. Now, for each x S Asgg ( [[p]] , s), let be the run for U^^ on the assignment-state 
encoding 7^ for 9{x)- Due to the particular definition of the transition function of Z//^^^, it is easy to 
see that R^ C R. Thus, since R is accepting, we have that R^ is accepting as well. So, 7^ G L(U^_^). 
At this point, due to the property of U^^, it follows that Q, 9{x), s \= \>ip- Now, since does not 
contain principal subsentences, we have that Q, 9{x), s |=e b?/', for all x S Asgg([[p]], s). □ 

At this point, we can prove the following theorem that is at the base of the elementary model- 
checking procedure for Sl[1g]. 

Theorem 5.13 (Sl[1g] Sentence Automaton). Let Q bea Cos, s g Stg one of its states, 
and pb'0 an Sl[1g] principal sentence without principal subsentences. Then, there exists an NPT 
A/-^4 such that g,0,s^ iffU^%) + 0- 

Proof. As in the general case of Sl sentence automaton, we have to ensure that the state label- 
ing of nodes of the elementary dependence-state encoding is coherent with the node itself. To do 
this, we apply Theorem 15 .41 of Apt direction projection with distinguished direction s to the Upt 
U^\,^ derived by Lemma 13. 121 of the Sl[1g] sentence automaton, thus obtaining the required NPT 

[Only if]. Suppose that 0,0, s |= p\>ip. By Corollarv l4.25l of Sl[1g] elementariness, it means that 
Q, 0, s \=E pbV-'. Then, by Definition |4TT] of Sl[ng] elementary semantics, there exists an elemen- 
tary dependence map 9 G EDMstrg(s) (p) such that Q, 9{x), s bi/), for all x G Asgg([[p]], s). 
Thus, by Lemma 15.121 we have that T G L(pl^^^^), where T is the elementary dependence-state 
encoding for 9. Hence, by Theorem l5.4l it holds that L(A/^J^J ^ 0. 

[If]. Suppose that HAfp^;'^) 7^ 0. Then, by Theorem |54l there exists an (DMacs(p) x St^)- 
labeled Stg-tree T such that T G 1j{U'^^^^). Now, it is immediate to see that there is an elementary 
dependence map 9 G EDMgti.g(3) (p) for which 7" is the elementary dependence-state encoding. 
Thus, by Lemma |5.12| we have that Q, 9{x), s |=e b"!/^, for all x G Asgg([[p]], s). By Definition |4.11| 
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of Sl[ng] elementary semantics, it holds that Q, 0, s pt'V'- Hence, by Corollary 14. 25l of Sl[1g] 
elementariness, it means that Q,0,s |= p\>ip. □ 

Finally, we show in the next fundamental theorem the precise complexity of the model-checking 
for Sl[1g]. 

Theorem 5.14 (Sl[1g] Model Checking). The model-checking problem for Sl[1g] is 
PTiME-COMPLETE w.rt. the size of the model and 2ExpTlME-COMPLETE w.r.t. the size of the 
specification. 

Proof. By Theorem 15. 131 of Sl[1g] sentence automaton, to verify that G,<Z),s \= p\)ip, we 
simply calculate the emptiness of the NPT A/^^,'^. This automaton is obtained by the operation of 
direction projection on the UCT U^^,^, which is in turn derived by the UCT U^^^. Now, it is easy 
to see that the number of states of l^^^,, and consequently of W^j^^, is 2°('"s('>)). So, J\f^^!^ has 

|Stg| • 22°""**" states and index 2°^^'^^^, 

The emptiness problem for such a kind of automaton with n states and index h is solvable in time 
0{n'^) [Kupferman and Vardi 1998) . Thus, we get that the time complexity of checking whether 

G,0,s ^ p\>tp is |Stg |2 * . At this point, since we have to do this verification for each possible 
state s G Stg and principal subsentence pbip G psnt((y5) of the whole Sl[1g] specification ip, we 

derive that the whole bottom-up model-checking procedure requires time |Stg;p * Hence, the 
membership of the model-checking problem for Sl[1g] in PTiME w.rt. the size of the model and 
2ExpTime w.rt. the size of the specification directly follows. Finally the thesis is proved, by getting 
the relative lower bounds from the same problem for Atl* II Alur et al. 20021 . □ 

6. CONCLUSION 

In this paper, we introduced and studied Sl as a very powerful logic formalism to reasoning about 
strategic behaviors of multi-agent concurrent games. In particular, we proved that it subsumes the 
classical temporal and game logics not using explicit fix-points. As one of the main results about 
Sl, we shown that the relative model-checking problem is decidable but non-elementary hard. As 
further and interesting practical results, we investigated several of its syntactic fragments. The most 
appealing one is Sl[1g], which is obtained by restricting Sl to deal with one temporal goal at a 
time. Interestingly, Sl[1g] strictly extends Atl*, while maintaining all its positive properties. In 
fact, the model-checking problem is 2ExpTlME-COMPLETE, hence not harder than the one for 
Atl*. Moreover, although for the sake of space it is not reported in this paper, we shown that it 
is invariant under bisimulation and decision-unwinding, and consequently, it has the decision-tree 
model property. The main reason why Sl[1g] has all these positive properties is that it satisfies a 
special model property, which we name "elementariness" . Informally, this property asserts that all 
strategy quantifications in a sentence can be reduced to a set of quantifications over actions, which 
turn out to be easier to handle. We remark that among all Sl fragments we investigated, Sl[1g] 
is the only one that satisfies this property. As far as we know, Sl[1g] is the first significant proper 
extension of Atl* having an elementary model-checking problem, and even more, with the same 
computational complexity. All these positive aspects make us strongly believe that Sl[1g] is a valid 
alternative to Atl* to be used in the field of formal verification for multi-agent concurrent systems. 

As another interesting fragment we investigated in this paper, we recall Sl[bg]. This logic al- 
lows us to express important game-theoretic properties, such as Nash equilibrium, which cannot be 
defined in Sl[1g]. Unfortunately, we do not have an elementary model-checking procedure for it, 
neither we can exclude it. We leave to investigate this as future work. 

Last but not least, from a theoretical point of view, we are convinced that our framework can 
be used as a unifying basis for logic reasonings about strategic behaviors in multi-agent scenarios 
and their relationships. In particular, it can be used to study variations and extensions of Sl[1g] 
in a way similar as it has been done in the literature for Atl*. For example, it could be interest- 
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ing to investigate memoryful Sl[1g], by inheriting and extending the "memoryful" concept used 
for Atl* and CHP-Sl and investigated in fMogavero et al. 201 Ob] and fFi sman et al . 20101. respec- 
tively. Also, we recall that this concept implicitly allows to deal with backwards temporal modali- 
ties. As another example, it would be interesting to investigate the graded extension of Sl[1g], in 
a way similar as it has been done in IBianco et al. 20091 IBianco et al. 20101 IBianco et al. 2012J 
and I jKupferman et al. 2002{ IBonatti et al. 20081 for Ctl and ^Calculus, respectively. We re- 



call that graded quantifiers in branching-time temporal logics allow to count how many equivalent 
classes of paths satisfy a given property. This concept in Sl[1g] would further allow the count- 
ing of strategies and so to succinctly check the existence of more than one nonequivalent winning 
strategy for a given agent, in one shot. We hope to lift to graded Sl[1g] questions left open about 
graded branching-time temporal logic, such as the precise satisfiability complexity of graded full 
computation tree logic IBianco et al. 20121 . 

A. MATHEMATICAL NOTATION 

In this short reference appendix, we report the classical mathematical notation and some common 
definitions that are used along the whole work. 

Classic objects. We consider N as the set of natural numbers and [to, 7i] = {fcGN:TO<A;< 
n\, [to, n[ ^ {/c e N : 771 < A: < 77}, ]m, 77] = {/c G N : 777 < A: < 77}, and ]777 , 77[ = {/c e N : 
777 < A; < 77} as its interval subsets, with to G N and ?i G N = N U {a;}, where lo is the numerable 
infinity, i.e., the least infinite ordinal. Given a set X of objects, we denote by |X| G N U {00} 
the cardinality of X, i.e., the number of its elements, where 00 represents a more than countable 
cardinality, and by 2^ ^ {Y : Y C X} the powerset of X, i.e., the set of all its subsets. 

Relations. By i? C X x Y we denote a relation between the domain dom(i?) = X and codomain 
cod(i?) = Y, whose range is indicated by rng(i?) = {?/ G Y : 3a; G X. [x,y) G R}. We use 
— {{y, a;) G Y X X : (x, 7/) G i?} to represent the inverse of R itself. Moreover, by 5* o i?, 
with i? C X X Y and S C Y x Z, we denote the composition of R with S, i.e., the relation 
5 o i? ^ {(x, z) G X X Z : 37/ G Y. (x, 7/) G i? A (y, z) G S}. We also use i?" = o R, with 

77 G [1, a;[, to indicate the n-iteration of i? C X x Y, where Y C X and R'^ ^ {{y,y) : y G Y} is 
the identity on Y. With i?+ = lJn=i ^" ™d ^* — U i?" we denote, respectively, the transitive 
and refiexive-transitive closure of R. Finally, for an equivalence relation R C X x X on X, we 
represent with (X/i?) = {[x\r : x G X}, where [x\r = {x' G X : (x, x') G R}, the quotient set of 
X w.rt. R, i.e., the set of all related equivalence classes [•]/?. 

Functions. We use the symbol Y-^ C 2^^^ to denote the set of total functions f from X to Y, 
i.e., the relations f C X x Y such that for all x G dom(f) there is exactly one element y G cod(f) 
such that (x, y) G f . Often, we write f : X — Y and f : X ^ Y to indicate, respectively, f G Y 
and f G Ux'cx^^ ■ Regarding the latter, note that we consider f as a partial function from X to 
Y, where dom(f) C X contains all and only the elements for which f is defined. Given a set Z, by 
f ^2 = f n (Z X Y) we denote the restriction of f to the set X n Z, i.e., the function f fz : X n Z ^ Y 
such that, for all x G dom(f) n Z, it holds that ^\z{x) = ^{x). Moreover, with we indicate a 
generic empty function, i.e., a function with empty domain. Note that X n Z = implies f fz = 0- 
Finally, for two partial functions f , g : X — ^ Y, we use f P g and f fn) g to represent, respectively, the 
union and intersection of these functions defined as follows: dom(f P g) = dom(f ) U dom(g) \ {a; G 
dom(f) n dom(g) : f(a;) ^ g(a;)}, dom(f (nl g) = {a; G dom(f) n dom(g) : f(a;) = g(a;)}, 
(f iyjg)(a;) = f(a;) for a; G dom(f IMJg) ndom(f), (f y g)(a;) g(a;) for a; G dom(f y g) ndom(g), 
and (f fnl g)(a:) — f (a;) for x G dom(f fnl g). 

Words. By X", with 77 G N, we denote the set of all n-tuples of elements from X, by X* = 
Un=o '■^^ of finite words on the alphabet X, by X+ = X* \ {e} the set of non-empty words. 
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and by X"^ the set of infinite words, where, as usual, e € X* is the empty word. The length of a 
word w € X°° = X* U X" is represented with \w\ £ N. By {w)i we indicate the i-th letter of the 
finite word w £ X+, with i £ [0, . Furthermore, by fst(i(;) = {w)o (resp., Ist(u') = 
we denote the^rif (resp., last) letter of w. In addition, by {w)<i (resp., (w)>i), we indicate the 
prefix up to (resp., suffix after) the letter of index i of w, i.e., the finite word built by the first 
i + 1 (resp., last \w\ — i ~ 1) letters {w)o, . . . , {w)i (resp., {w)i+i, . . . , We also set, 

{w)<o = £, (w)<j = {w)<i-i, {w)>o = w, and (w)>i = (ti;)>i_i, for i £ [l,\w\[ . Mutatis 
mutandis, the notations of i-th letter, first, prefix, and suffix apply to infinite words too. Finally, by 
pfx(wi, W2) ^ X°° we denote the maximal common prefix of two different words wi,W2 £ X°°, 
i.e., the finite word w £ X* for which there are two words w'i,W2 £ X°° such that wi — w ■ w'l, 
W2 ^ w ■ w'2, and fst(u'2) ^ fst(w2). By convention, we set pfx(w, w) = w. 

Trees. For a set A of objects, called directions, a A-tree is a set T C A* closed under prefix, i.e., 
if t • d £ T, with d £ A, then also t £ T. We say that it is complete if it holds that t ■ d' e T 
whenever i ■ d £ T, for all d' < d, where < C A x A is an a priori fixed strict total order on the 
set of directions that is clear from the context. Moreover, it is full if T = A*. The elements of T are 
called nodes and the empty word e is the root of T. For every i £ T and d £ A, the node t • d £ T is 
a successor of t in T. The tree is b-bounded if the maximal number b of its successor nodes is finite, 
i.e., b = maxigT [{i • d £ T : d £ A}| < ut. A branch of the tree is an infinite word w £ A" such 
that {w)<i £ T, for all i £ N. For a finite set E of objects, called symbols, a Y.-labeled A-tree is a 
quadruple (S, A, T, v), where T is a A-tree and v : T — > E is a labeling function. When A and S 
are clear from the context, we call (T, v) simply a (labeled) tree. 

B. PROOFS OF SECTION ?? 

In this appendix, we report the proofs of lemmas needed to prove the elementariness of Sl[1g]. 
Before this, we describe two relevant properties that link together dependence maps of a given 
quantification prefix with those of the dual one. These properties report, in the dependence maps 
framework, what is known to hold, in an equivalent way, for first and second order logic. In particu- 
lar, they result to be two key points towards a complete understanding of the strategy quantifications 
of our logic. 

The first of these properties enlighten the fact that two arbitrary dual dependence maps 9 and 9 
always share a common valuation v. To better understand this concept, consider for instance the 
functions 61 and 0q of the examples illustrated just after Definition |43] of dependence maps. Then, 
it is easy to see that the valuation v £ ValD(V) with v(x) = v(y) = 1 and v(z) = resides in both 
the ranges of 9i and 6*6, i.e., v £ rng(0i) n rng(6'6). 

Lemma B.l (Dependence Incidence). Let p e Qnt(V) be a quantification prefix over a 
set of variables V C Var and D a generic set. Moreover, let 9 £ DMd(p) and 9 £ DMd(p) be two 
dependence maps. Then, there exists a valuation v £ ValD(V) such that v = = ^(^f[[p]])- 

Proof. W.l.o.g., suppose that p starts with an existential quantifier If this is not the case, the 
dual prefix p necessarily satisfies the above requirement, so, we can simply shift our reasoning on 
it. 

The whole proof proceeds by induction on the alternation number alt(p) of p. As base case, if 

alt(p) = 0, we define v = ^'(0), since [[p]] = 0. Obviously, it holds that v ~ ^(vr[[p]]) = ^'(vr[[p]]), 
due to the fact that v^jpj = and v^j-pj = v. Now, as inductive case, suppose that the statement 
is true for all prefixes p' £ Qnt(V') with alt(p') — n, where V' C V. Then, we prove that it is 
true for all prefixes p £ Qnt(V) with alt(p) = n + 1 too. To do this, we have to uniquely split 
p = p' • p" into the two prefixes p' £ Qnt(V') and p" £ Qnt(V \ V) such that alt(p') = n and 
alt(p") = 0. At this point, the following two cases can arise. 
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— If n is even, it is immediate to see that ((p")) = 0. So, consider the dependence maps 9' G 
DMd(p') and W G DMd(p') such that 6'{y^ip,{) = 6i(v)fv' and F(v) = ^(v)fv', for all 
valuations v G Vain (Hp]]) and v G ValD([[p]]) = ValD([[p']])- By the inductive hypothesis, there 
exists a valuation v' G ValD(V') such that v' = ^'(^'mp']]) — ^'^^'r[[s7]]-'' ^ ~ ^^^'\lpi^' 

— If n is odd, it is immediate to see that [p"]] ~ 0. So, consider the dependence maps 9' G DMd (p') 
and 'W G DMd(p') such that 9'{y) 6'(v)fv' and ^(Vfj^j) = ^(v)fv', for all valuations 
V G Valodp]]) — ValD([[p']]) and v G Valodp]])- By the inductive hypothesis, there exists a 
valuation v' G VablV) such that v' = ^''(v'jp']]) = So, set v = ^'(v'jp]]). 

Now, it is easy to see that in both cases the valuation v satisfies the thesis, i.e., v — ^(vfjpj) — 
^(vrip]])- □ 

The second property we are going to prove describes the fact that, if all dependence maps 6* of a 
given prefix p, for a dependent specific universal valuation v, share a given property then there is a 
dual dependence maps 9 that has the same property, for all universal valuations v. To have a better 
understanding of this idea, consider again the examples reported just after Definition 14.51 and let 
P = {(0, 0, 1), (0, 1, 0)} C ValD(V), where the triple (/, m, n) stands for the valuation that assigns 
Z to X, m to y, and n to z. Then, it is easy to see that all ranges of the dependence maps 6i for p 
intersect P, i.e., for alH G [0, 3], there is v G Valodp]]) such that 6'j(v) G P. Moreover, consider 
the dual dependence maps 6*2 for p. Then, it is not hard to see that 02 (v) G P,forallv G Valndp]]). 

Lemma B.2 (Dependence Dualization). Let p g Qnt(V) be a quantification prefix over 
a set of variables V C Var, D a generic set, and P C ValD(V) a set of valuations ofY over D. 
Moreover, suppose that, for all dependence maps 9 G DMd(p), there is a valuation v G ValD([[p]]) 
such that 9(y) G P. Then, there exists a dependence map 9 G DMd(p) such that, for all valuations 
V G ValD([[p]]), it holds that9{\/) G P. 

Proof. The proof easily proceeds by induction on the length of the prefix p. As base case, when 
IpI =0, we have that DMd(p) = DMd(p) = {^}, i-e., the only possible dependence maps is the 
empty function, which means that the statement is vacuously verified. As inductive case, we have 
to distinguish between two cases, as follows. 

— P = {{x)) ■ p'- 

As first thing, note that [[p]] = [[p']] and, for all elements e G D, consider the projection Pg = 
{v' G ValD(V(p')) : v'[x i~> e] G P} of P on the variable x with value e. 

Then, by hypothesis, we can derive that, for all e G D and 9' G DMd(p')^ there exists v' G 
Vabdp']]) such that 9'{v') G Pe. Indeed, let e G D and 9' G DMd(p'), and build the function 9 : 
Vabdp]]) ^ ValD(V) given by 0(v') ^ 0'{y')[x ^ e], for all v' G Vabdp]]) = Vab([[p']]). 
It is immediate to see that 9 G DMd(p). So, by the hypothesis, there is v' G Vab([[p]]) such that 
e{v') G P, which implies 9'{v')[x i-^- e] G P, and so, 6l'(v') G Pe. 

Now, by the inductive hypothesis, for all elements e G D, there exists 9'e S DMd(p') such 
that, for all 7 G Vab([[f7]]), it holds that 0'^ (7) G Pe, i.e., 9'e{V)[x ^e]eP. 

At this point, consider the function 9 : Vab([[p]]) — > Vab(V) given by 9{\/) = 
l\[^l)[x ^ ^(^)]' for all V G Vab([[p]]). Then, it is possible to verify that 9 G DMd(p). 
Indeed, for each y G [[p]] and v G Vab([[p]]), we have that 9(y){y) = ^''v(a;)(Vf[[^]])[a; ^ 
\/{x)]{y). Now, if y = X then 9{\/){y) — v(j/). Otherwise, since 6''v(2:) is a dependence map, it 
holds that ^(v)(zj) = 7^(^)(Vf[[^j])(y) ^\/^^^^{y) = v(y). So, Item □ of Definition of de- 
pendence maps is verified. It only remains to prove Item|2] Let y G ((p)) and vT, V2 G Vab([[p]]), 
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with vi fDop(p,a) = ^2 \ucp(-p,y) - It is immediate to see that x £ Dep(p, y), so, Vi (x) = V2 (x), 
which impHes that O'^yi^^) — (^'w{x)- At this point, again for the fact that 9'v(^x) is a dependence 
map, for each v e ValD([[p]]), we have that 6''vr(x)(vrf[[-^]])(2/) = 6''v^(x)(v^f[[^]])(y)- Thus, 
itholds that^(vr)(?;) = 0'vr(x)(vrf[[^]])[a; ^^ '^{x)]iy) = 0'vj(^)(vjf[[^]])[a; vi-(a;)](y) = 

Finally, it is enough to observe that, by construction, 6{\/) G P, for all v G Valodp]]), since 
^'v(a;)(Vf[[-^]]) G Pv{x) - Thus, the thesis holds for this case. 

— p = M ■ p'- 

We first show that there exists e G D such that, for all 9' £ DMd(p'). there is v' £ ValD([[p']]) 
for which 9'{\/') e Pg holds, where the set Pg is defined as above. 

To do this, suppose by contradiction that, for all e G D, there is a 9'^ G DMd(p') such that, 
for all v' G ValD([[p']]), it holds that 9'^{\/') ^ Pe. Also, consider the function 9 : ValD([[p]]) 
ValD(V) given by ^(v) = ^'v(a;)(vf[[p']])[a; v(x)], for all v G Valndp]]). Then, is possible to 
verify that 9 G DMd(p). Indeed, for each y G [[p]] and v G ValD([[p]]), we have that 9{v){y) 
^v(x)(vr[[pl)[^ ^ v(a;)](y). Now, if y = a; then 9{y){y) = v{y). Otherwise, since 6'^(^j is a 
dependence map, it holds that 9{\/){y) = ^'v(x) (vrilp']])(y) = vr[[p']](2/) = So, Item[I]of 

Definition |43] of dependence maps is verified. It only remains to prove Item|2] Let y G ((p)) and 
vi, V2 G ValD([[p]]), with VifDep(p,y) = V2fDcp(p.y)- It is immediate to see that x G Dcp(p,y), 
so, Vi(x) = V2(a;), which implies that ~ ^V2(i;)' ^^^^ point, again for the fact that 0^^^^ is 

a dependence map, for each V G Valodp]]), we have that 6l^^(^)(vi = 6'v2(x)(v2r[[p'l)(y)- 

Thus, it holds that 6* (vi)(y) = r[[p']])[a^ ^ 6'v2(a;)(v2r[[p']])[a; ^ V2(a;)](j/) = 

9{\i2){v)- Now, by the contradiction hypothesis, we have that 9{m) ^ P, for all v G Val([[p]]), 
since 6*^^^^ (^r[[p']]) ^ Pv(a;)' which is in evident contradiction with the hypothesis. 

At this point, by the inductive hypothesis, there exists 9' G DMd(p') such that, for all v' G 
Vabdp']]), it holds that ^(7) G Pe, i.e., W(y)[x e] G P. 

Finally, build the function '9 : ValD([[p]]) ^ VablV) given by ^(v) = 9'{\i)[x ^ e], for 
all V G ValD([[p]]) = Valodp']]). It is immediate to see that ^ G DMd(p). Moreover, for all 
valuations v G Valndp]]), it holds that 0(v) G P. Thus, the thesis holds for this case too. 

Hence, we have done with the proof of the lemma. □ 

At this point, we are able to give the proofs of Lemma 14.91 of adjoint dependence maps, 
Lemma |4.21| of dependence-vs- valuation duality, and Lemma |4.23| of encasement characterization. 

Lemma B. 3 (Adjoint Dependence Maps). Letpe Qnt{Y) be a quantification prefix over 
a set of variables V C Var, D and T two generic sets, and 9 : Valx^o ( [p]] ) — ^ Valx-^D (V) and 9 : 
T — !■ (ValD([[p]]) ^ ValD(V)) two functions such that 9 is the adjoint of 9. Then, 9 G DMt-!.d(p) 
iff, for all t G T, it holds that 9{t) G DMd (p). 

Proof. To prove the statement, it is enough to show, separately, that Items [T] and |2] of Defini- 
tion |4.5| of dependence maps hold for 9 if the 9{t) satisfies the same items, for all t G T, and vice 
versa. _ _ 

[Item\I\ if]. Assume that 9{t) satisfies Item[Tl for each t G T, i.e., 6'(/;)(v) fjpj = v, for all 

V G ValD([[p]]). Then, we have that 9{t)(^(t)) = g{t), so, 9{t){g{t)){x) ~ g{t){x), for all 
g G ValT^D([[p]]) and x G [[p]]. By hypothesis, we have that 9{g){x){t) = 9{t){g{t)){x), thus 
9{g){x){t) =g(t)(x) =g(a;)(t), which means that 6'(g)f[[p]] = g, for all g G ValT^DdplD- 
^/femll] only if]. Assume now that 9 satisfies ItemlT] i.e., 9{g) fjpj = g, for all g G ValT->D([[p]])- 
Then, we have that 9{g){x){t) = g{x){t), for all x G [[p]] and t G T. By hypothesis, we have 
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that e{t){g{t)){x) = e{g){x){t), so, e{t){g(t)){x) = gix){t) = g{t){x), which means that 
0(i)(g(t))f[[p]] = g{t). Now, since for each v G ValD([[p]]), there is an g e VeIt^d ( [[p]] ) such 
that g{t) = V, we obtain that 6{t){\/) fj^jj = v, for all v e ValD([[p]]) and < e T. 

[Item\2\ if]. Assume that 9{t) satisfies Item|2] for each t G T, i.e., 9{t){\/i){x) = ^(i)(v2)(a;), 
for all Vi,V2 e Valodp]]) and x G ((p)) such that VifDcp(p,a;) = Va fDcp(p,a;)- Then, we have 
that 9{t){gi{t)){x) = e{t){g2{t)){x), for all gi,g2 G ValT^odp]]) such that gitDep(p,.) = 
g2rDep(p,x)- By hypothesis, we have that 6l(gi)(a;)(t) = e{t){gi{t)){x) and 6'(i)(f2 = 
e{g2){x)it), thus 0(gi)(a;)(t) = e(g2)(a;)W- Hence, 0{gi)ix) = 0(g2)(a;), for all gi,g2 G 
ValT^D([[p]]) anda; G ((p)) such that gi fD^p(^_^) = g2rDep(p,a;)- 

[Item^ only if]. Assume that 6 satisfies Item|2l i.e., 6{gi){x) — 9{g2){x), for all gi,g2 G 
ValT^D([[p]]) andx G ((p)) such that gi fD^p(p_^) = g2 fDcp(p,^)- Then, we have that 6l(gi)(a;)(i) = 
0{g2)ix){t), for all i G T. By hypothesis, we have that^6l(t)(gl (t))(x) = 0{gi)ix){t) and 
6l(g2)(a;)(t) = e{t){g2{t))ix), hence 0(<)(gi (t))(a;) = ^(t)(g2 (t))(a;). Now, since for each 
Vi,V2 G Valodp]]), with there are gi,g2 G Valx^Ddp]]) such 

that gl(t) = vi and £(t) = V2, with gifDcp(p,a;) = g2 rDcp(p,2;)' we obtain that 0(t){vi){x) = 
e{t){\/2){x), forall Vi,V2 G Vabdp]]) and a; G ((p)) such that Vi ^Dep(p,:c) = '^2\Bcp(p,x)- □ 

Lemma B.4 (Dependence-vs-Valuation Duality). Let Q be a Cos, s g St one of its 
states, P C Pth(s) a set of paths, p G Qnt(V) a quantification prefix over a set of variables 
V C Var, and b G Bnd(V) a binding. Then, player even wins the TPG 'H{Q, s, P, p, b) iff player 
odd wins the dual TPG 'H{G,s, Pth(s) \ P, p, b). 

Proof. Let A and A be, respectively, the two Tpas A{G, s, p, b) and A{Q, s,p, b). It is easy 
to observe that PoSo^ — PoSe34- = Trk(s). Moreover, it holds that PoSo_4 = {p ■ {\st{p),d) : 

p G Trk(s) A 6* G DMac(p)} and PoSo^^ = {p ■ (lst(p),5) : p G Trk(s) A ^ G DMac(p)}- We 
now prove, separately, the two directions of the statement. 

[Only if]. Suppose that player even wins the TPG T-L{G, s, P, p, b). Then, there exists an even 
scheme Se G Schc^ such that, for all odd schemes So G Scho^, it holds that mtc^(se, So) G P. Now, 
to prove that odd wins the dual TPG V.{G, s, Pth(s) \ P, p, b), we have to show that there exists an 
odd scheme G Scho^^ such that, for all even schemes G Schc^, it holds that mtc;;j(s^, s^) G P. 

To do this, let us first consider a function z : DMac(p) x DMac(p) ValAc(V) such that 
z{9,e) = g(z(0,0)rM) =^(z(g,^)r M),fo rallg G DMac(p) and^ g DMac(p). The existence 
of such a function is ensured by Lemma lBTI on the dependence incidence. 

Now, define the odd scheme G Scho^ in A as follows: s^{p ■ {\st{p), 9 j) ^ r(lst(p), z((?, 9) o 
Cb), for all p G Trk(s) and 9 G DMac(p), where 9 G DMac(p) is such that Se{p) = (Ist(p), 6*). 
Moreover, let si' G Schc^ be a generic even scheme in A and consider the derived odd scheme 
So e Scho^ in A defined as follows: s^ip ■ (Ist(p), 9)) ^ r(lst(p), z{9, 9) o for all p G Trk(s) 
and 6* G DMac(p), where 9 G DMac(p) is such that s;(/9) = {\st{p),'9). 

At this point, it remains only to prove that w ~ w, where vo = mtc^(se,So) and m = 
mtC;^(si, s^). To do this, we proceed by induction on the prefixes of the matches, i.e., we show that 
{'cu)<i = {w)<i, for all j G N. The base case is immediate by definition of match, since we have that 
(n7)<o = s = {m)<o. Now, as inductive case, suppose that (n7)<i = {w)<i, for i G N. By the defi- 
nition of match, we have that {■cu)i+i ~ So((n7)<i-Se((tx7)<i)) and = s^{{m)<i-s^{{w)<i)). 
Moreover, by the inductive hypothesis, it follows that So((t<7)<i • Se{{w)<i)) — So{{W)<i ■ 
Se((w)<i)). At this point, let 9 G DMac(p) and 9 G DMac(p) be two quantification dependence 
maps such that 5e{{w)<i) — {{w)i,9) and s^{{m)<i) = {{m)i,9). Consequently, by substitut- 
ing the values of the even schemes Se and s^, it holds that — So{{'m)<i ■ {{w)i,9)) and 
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(n7)j+i = So{{'Dj)<i ■ {{'Dj)i, 9)). Furthermore, by the definition of the odd schemes Sq and Sq, it 
follows that So((ro)<i • 6)) = r((w)i, z{9, 9) o C^) = s^{{m)<:i ■ 9)). Thus, we have 

that = which implies (Tn)<i+i = {w)<i+i. 

[If]. Suppose that player odd wins the dual TPG s, Pth(s) \ P, p, b). Then, there exists an 
odd scheme G Scho^ such that, for all even schemes € Scho^, it holds that mtc^(s^, s^) S P. 
Now, to prove that even wins the TPG 7i{Q, s, P, p, b), we have to show that there exists an even 
scheme Se G Scho^ such that, for all odd schemes So G Scho^, it holds that mtc^(se, So) G P. 

To do this, let us first consider the two functions g : Trk(s) 2^'''*'^(^) and h : Trk(s) -> 2^' 
suchthatg(p) ^ {^(v) : 9 G DMac(p)Av G ValAc([[p]])As^(p-(lst(p),5)) = T(lst(p), ^(v)oCb)} 
and h(p) = {s^(p • {\st{p),9)) : 9 G DMac(p)}, for all p G Trk(s). Now, it is easy to see that, for 
each p G Trk(s) and 9 G DMac(p), there is v G ValAc([[p]]) such that 9{\/) G g(p)- Consequently, 
by Lemma |B721 on dependence dualization, for all p G Trk(s), there is 9p G DMac(p) such that, 
for each v G ValAc([[p]]), it holds that 9p{\/) G g(p), and so, r(lst(p), 9p{y) o 4) g h(p). 

Now, define the even scheme Sg G Sche^ in A as follows: s^{p) = {\st{p),9p), for all p G Trk(s). 
Moreover, let So G Schc^ be a generic odd scheme in A and consider the derived even scheme 

G Schc^ in A defined as follows: s^{p) ^ {\st{p),9p), for all p G Trk(s), where 9p G DMac(p) 

is such that So{p ■ {\st{p),9p)) — s^{p ■ (Ist(p), 9p)). The existence of such a dependence map is 
ensure by the previous membership of the successor of \st{p) in h{p). 

At this point, it remains only to prove that w = w, where m = mtc^(se,So) and w ^ 
mtc^(s^,s^). To do this, we proceed by induction on the prefixes of the matches, i.e., we show 
that (n7)<i = (w)<i, for all i € N. The base case is immediate by definition of match, since 
we have that {iu)<q = s = (w)<o- Now, as inductive case, suppose that {ru)<i = {m)<:.i, 
for z G N. By the definition of match, we have that (n7)i_|_i = So((ti7)<i • Se((cc)<i)) and 
= s^((w)<i ■ s^((w)<i)). Moreover, by the inductive hypothesis, it follows that So((w)<i • 
Se((tn)<i)) — So((w)<i •Se((w)<i)). Now, by substituting the values of the even schemes Sg and s^, 
we have that {^7)1+1 = So{{m)<i■{{m)^,9(^■^')^.)) and = 's^{{w)<i- {{W)i,9^^J). At this 

point, due to the choice of the dependence map 9(^-j^., it holds that So((w)<i • {{W)i,9(^^^.)) = 
s^((w)<j • Thus, we have that (n7)j+i = which implies {zu)<i+i = 

Lemma B.5 (Encasement Characterization). Let Q be a Cos, s g St one of its states, 
P C Pth(s) a set of paths, p G Qnt(V) a quantification prefix over a set of variables V C Var, 
and b G Bnd(V) a binding. Then, the following hold: 

(i) player even wins T-i^G, s, P, p, b) iffP is an encasement w.r.t. p and b; 

(ii) if player odd wins 'H{Q,s,V,p,\>) then V is not an encasement w.r.t. pand\>; 

(Hi) if P is a Borelian set and it is not an encasement w.r.t. p and b then player odd wins 

n{g,s,p,p,b). 

Proof. [Item\i\ only if]. Suppose that player even wins the TPG HiG, s, P, p, b). Then, there 
exists an even scheme Se G Schc such that, for all odd schemes Sq G Scho, it holds that mtc(se, Sq) G 
P. Now, to prove the statement, we have to show that there exists an elementary dependence map 

9 G EDMgti.(s) (p) such that, for all assignments x £ Asg([[p]], s), it holds that play(6'(x) o Cbi s) £ 
P. 

To do this, consider the function w ; Trk(s) — DMac(p) constituting the projection of 
Sg on the second component of its codomain, i.e., for all p G Trk(s), it holds that Sg(p) — 
(Ist(p), vj{p)). By Lemma |4!9l on adjoint dependence maps, there exists an elementary dependence 

map 9 G EDMgtr(s)(p) for which w is the adjoint, i.e., w = 9. Moreover, let x G Asg([[p]], s) 
be a generic assignment and consider the derived odd scheme So G Scho defined ad follows: 
So(p • (Ist(p), 9')) = T{\st{p), 9'ixip)) o 4), for all p G Trk(s) and 9' G DMac(p). 
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At this point, it remains only to prove that -k ~ tu, where tt = play(0(x) o Cbi*) ™d vj = 
mtc(se, So). To do this, we proceed by induction on the prefixes of both the play and the match, i.e., 
we show that (7r)<,; = {vj)<i, for all i G N. The base case is immediate by definition, since we have 
that (7r)<o = s = {w)<q. Now, as inductive case, suppose that (7r)<i = {w)<:i, for i G N. On one 
hand, by the definition of match, we have that (07)^+1 = So{{w)<i •Se((n7)<i)), from which, by sub- 
stituting the value of the even scheme Se, we derive (07)^+1 = So{{w)<i ■ {{vu)i,d{{nj)<i))). On the 
other hand, by the definition of play, we have that (7r)i+i = T((7r)i , 6'((7r)<i)(x((7r)<i)) 04), from 
which, by using the definition of the odd scheme Sq, we derive (7r)i+i = So((7r)<i • ((7r)i, 0((7r)<i))). 
Then, by the inductive hypothesis, we have that = So((n7)<i • {{'uj)i,6{{m)<i))) = 

So((7r)<i • ((7r)j,6'((7r)<i))) = (7r)i+i, which implies {nj)<,+i = (7r)<j+i. 

[Item 13 if]. Suppose that P is an encasement w.rt. p and b. Then, there exists an elementary 
dependence map 6 G EDMstr(s) (p) such that, for all assignments x G Asg([[p]], s), it holds that 
p\ay{6{x) o Cbjs) G P. Now, to prove the statement, we have to show that there exists an even 
scheme Se G Schc such that, for all odd schemes Sq G Scho, it holds that mtc(se, So) G P. 

To do this, consider the even scheme Se G Scho defined as follows: Se(p) = {\st{p) , 9 (p)) , for 
all p G Trk(s). Observe that, by Lemma |4|9] on adjoint dependence maps, the definition is well- 
formed. Moreover, let Sq G Scho be a generic odd scheme and consider a derived assignment x £ 
Asg([[p]],jj) satisfying the following property: x{p) e {v G VaUcdp]]) : So{p ■ {\st{p),e{p))) = 
r(lst(p), 6'(v) o Cb)}, for all p G Trk(s). 

At this point, it remains only to prove that tt = nj, where tt = p\ay{9{x) o Cbi*) ™d zo = 
mtc(se, So). To do this, we proceed by induction on the prefixes of both the play and the match, i.e., 
we show that (7r)<i = {w)<i, for all i G N. The base case is immediate by definition, since we 
have that (7r)<o = s = {zu)<q. Now, as inductive case, suppose that (7r)<i — {ix7)<i, for j G N. On 
one hand, by the definition of match, we have that (tu)^^! = So((-n7)<i • Se((n7)<i)), from which, 

by the definition of the even scheme Se, we derive {w)i+i = So((n7)<i • ((nj)^, 9{{w)<i))). On the 
other hand, by the definition of play, we have that (7r)i+i — T((7r)i , 6'((7r)<i)(x((7r)<i)) o 4), from 
which, by the choice of the assignment x, we derive (7r)i+i = So((7r)<i • ((7r)i, 6'((7r)<i))). Then, 
by the inductive hypothesis, we have that = So((n7)<i • {{w)i,9{{'!u)<i))) = So((7r)<i • 

((7r)i,0((7r)<i))) = (7r)i+i, which implies {nj)<i+i = (7r)<i+i. 

[Item\n]l. If player odd wins the TPG HiQ, s, P, p, b), we have that player even does not win the 
same game. Consequently, by ItemlH it holds that P is not an encasement w.rt. p and b. 

[Item UuJil. If P is not an encasement w.r.t. p and b, by Item|i] we have that player even does not 
win the TPG s, P, p, b). Now, since P is Borelian, by the determinacy theorem QMartin 19751 
IMartin 198 51. it holds that player odd wins the same game. □ 
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